On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong <o...@delong.com> wrote: > >> No, NAT doesn't provide additional security. The stateful inspection that >> NAT cannot operate without provides the security. Take away the >> address mangling and the stateful inspection still provides the same >> level of security. >> > > There is a least one situation where NAT *does* provide a small amount of > necessary security. > > Try this at home, with/without NAT: > > 1. Buy a new PC with Windows installed > 2. Install all security patches needed since the OS was installed > > Without NAT, you're unpatched PC will get infected in less than 1 minute. > Wrong.
Repeat the experiment with stateful firewall with default inbound deny and no NAT. Yep... Same results as NAT. NAT != security. Stateful inspection = some security. Next!! Owen
