On Nov 16, 2011, at 8:20 AM, Jamie Bowden wrote: > > >> -----Original Message----- >> From: Owen DeLong [mailto:o...@delong.com] >> Sent: Wednesday, November 16, 2011 11:11 AM >> To: William Herrin >> Cc: NANOG >> Subject: Re: Have they stopped teaching Defense in Depth? >> >> >> On Nov 15, 2011, at 2:01 PM, William Herrin wrote: >> >>> On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews <ma...@isc.org> wrote: >>>> If you want to use unroutable addresses then use a bastion host / >>>> proxy. Don't expect to be able to open a TCP socket and have it >>>> connect to something on the outside. Do it right or don't do it >>>> at all. >>> >>> Mark, >>> >>> What is a modern NAT but a bastion host proxy for which application >>> compatibility has been maximized? >> >> It is a mechanism for header mutilation which creates additional costs >> in hardware (cost of routers), software (development of NAT traversal >> code in various applications, NAT software in some cases), security >> (NAT obfuscates audit trails and increases the difficulty and cost of >> event correlation, forensics, abuser identification, and attack source >> identification and mitigation, etc.). > > How is that any different than a proxy server, really? From the inside, > your apps are either NAT aware or proxy aware, but either way, you're > not directly exposed to the world and all your traffic comes from one > place as far as the world is concerned. I live behind both (NAT at > home; all external traffic of any type (assuming it's even allowed) is > proxied at work), and both suck in different and exciting ways. > > Jamie
You answered your own question... They suck in different ways. Owen