On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:

> 
> 
> On 14 Nov 2011, at 18:52, "McCall, Gabriel" <gabriel.mcc...@thyssenkrupp.com> 
> wrote:
> 
>> Chuck, you're right that this should not happen- but the reason it should 
>> not happen is because you have a properly functioning stateful firewall, not 
>> because you're using NAT. If your firewall is working properly, then having 
>> public addresses behind it is no less secure than private. And if your 
>> firewall is not working properly, then having private addresses behind it is 
>> no more secure than public. In either case, NAT gains you nothing over what 
>> you'd have with a firewalled public-address subnet.
> 
> 
> Well this is not quite true, is it.. If your firewall is not working and you 
> have private space internally then you are a lot better off then if you have 
> public space internally! So if your firewall is not working then having 
> private space on one side is a hell of a lot more secure!
> 
This is not true.

If your firewall is not working, it should not be passing packets.

If you put a router where you needed a firewall, then, this is not a failure of 
the firewall, but, a
failure of the network implementor and the address space will not have any 
impact whatsoever
on your lack of security.

> As somebody else mentioned on this thread, a NAT box with private space on 
> one side fails closed.
> 

So does a firewall.

Owen


Reply via email to