I hesitate to venture into this thread, but while Owen is correct in the
general
case ("NAT qua NAT provides no more security than a stateful firewall"), there
is a corner case in which security is improved via NAT. The case is that of an
enterprise network which uses 1918 addressing for all internal hosts, and uses
proxies or other bastions as middleboxes to relay outbound communication.
The security provided is that in the event of an accidental bridging of
"inside"
and "outside" networks (i.e. engineer plugged a cable between the wrong two
switches), the hosts will not be able to initiate communication with Internet
hosts. Additionally, this same resiliency to accidental bridging does mean
that
the enterprise has a smaller number of possible Internet-facing machines, and
thus can spend the time and effort to make them more robust.
That benefit is not huge (and not relevant to the typical home user, who is not
configuring a super-duper scanning proxy server), but it does exist, and it
certainly fuels some of the pro-NAT feeling I've encountered among customers.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
