On 1/12/2011 2:57 PM, Owen DeLong wrote: >> Try this at home, with/without NAT: >> >> 1. Buy a new PC with Windows installed >> 2. Install all security patches needed since the OS was installed >> >> Without NAT, you're unpatched PC will get infected in less than 1 minute. > Wrong. > Repeat the experiment with stateful firewall with default inbound deny and no > NAT. > Yep... Same results as NAT.
Now let that laptop (or another one on the home subnet) show up with Bridging or Internet Connection Sharing enabled with wired/wireless connections and see what you get. Still maybe OK if it's the "host" firewall, and it's turned on, and it's not domain-joined with the local subnet allowed, etc., but that was post-SP2 and assumes some malware [or the user] hasn't turned it off. NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof RFC1918 destinations, assuming they get routed all the way to the endpoint... but that's a bigger "if" than a public address) "Perfect stateful firewall with perfect default inbound deny and no other variables thrown in the mix" and yes, but it's breakable in contrast to the NAT+RFC1918 case. There is something to be said for "unreachable" (i.e., "not in your forwarding table") -- else the VPN / VRF / MPLS / etc folks wouldn't have a leg to stand on :-) With that said, this isn't a one-size-fits-all, everybody's perfect solution. We've covered the gamut from home CPE to server farms here, with the original question being about a DMZ case. They are however legitimate security layers applied to certain cloves of this particular bulb of garlic (a more appropriate model than the homogeneous "onion") :-) Jeff
