On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <l...@asgard.org> wrote: > On 3/24/14 1:37 PM, "William Herrin" <b...@herrin.us> wrote: >>That would be one of those "details" on which smart people disagree. >>In this case, I think you're wrong. Modern NAT superseded the >>transparent proxies and bastion hosts of the '90s because it does the >>same security job a little more smoothly. And proxies WERE designed to >>act as a security feature. > > What kinds of devices are we talking about here? Are we talking about the > default NAT on a home network router, or an enterprise-level NAT operating > on a firewall?
Hi Lee, I don't see NAT as a deployment issue for residential networks. Most folks just hook their computer up to whatever CPE the vendor sends them without any further attention. > If we're talking about an enterprise firewall, then I don't > understand--we're talking about a firewall. If it implements a symmetric > NAT in addition to a stateful firewall, then it's implementing the same > function twice. But, hey, it's your network, if > security-through-obscurity is one of your defense in depth layers, that's > fine. "Obscurity" offers one or more defense layers. If you disagree, post your passwords here. Unaddressibility is a second defense layer. Stateful firewalling is a third. You observe that all three are accomplished by the same lines of code in the firewall. The firewall doesn't exist in a void. It's part of a system. That system is configured with unroutable addresses or it isn't. It has many public addresses or it doesn't. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
