On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote: > > > On 14 Nov 2011, at 18:52, "McCall, Gabriel" <gabriel.mcc...@thyssenkrupp.com> > wrote: > >> Chuck, you're right that this should not happen- but the reason it should >> not happen is because you have a properly functioning stateful firewall, not >> because you're using NAT. If your firewall is working properly, then having >> public addresses behind it is no less secure than private. And if your >> firewall is not working properly, then having private addresses behind it is >> no more secure than public. In either case, NAT gains you nothing over what >> you'd have with a firewalled public-address subnet. > > > Well this is not quite true, is it.. If your firewall is not working and you > have private space internally then you are a lot better off then if you have > public space internally! So if your firewall is not working then having > private space on one side is a hell of a lot more secure! > This is not true.
If your firewall is not working, it should not be passing packets. If you put a router where you needed a firewall, then, this is not a failure of the firewall, but, a failure of the network implementor and the address space will not have any impact whatsoever on your lack of security. > As somebody else mentioned on this thread, a NAT box with private space on > one side fails closed. > So does a firewall. Owen