On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates <jba...@brightok.net> wrote: > > As my corp IT guy put it to me, PAT forces a routing disconnect between > internal and external. There is no way to reach the hosts without the > firewall performing it's NAT function.
But that's not true. If you have NAT, without a firewall, I can access your internal hosts (by addressing their RFC 1918 address) because you'll be leaking your RFC 1918 addresses in and out. Granted, I might have to be in your immediate upstream, but it can be done. So at best, all it does is limit how many hops away I need to be from you to attack you. Some benefit? Yes. Enough benefit to be worth the trouble? I personally am not convinced. Considering the amount of people who mistake the amount of security NAT provides, we're probably better off without it to remove that false sense of security.
