On 3/24/14 2:38 PM, "William Herrin" <b...@herrin.us> wrote:
>On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard <l...@asgard.org> wrote: >> On 3/24/14 1:37 PM, "William Herrin" <b...@herrin.us> wrote: >>>That would be one of those "details" on which smart people disagree. >>>In this case, I think you're wrong. Modern NAT superseded the >>>transparent proxies and bastion hosts of the '90s because it does the >>>same security job a little more smoothly. And proxies WERE designed to >>>act as a security feature. >> >> What kinds of devices are we talking about here? Are we talking about >>the >> default NAT on a home network router, or an enterprise-level NAT >>operating >> on a firewall? > >Hi Lee, > >I don't see NAT as a deployment issue for residential networks. Most >folks just hook their computer up to whatever CPE the vendor sends >them without any further attention. > > >> If we're talking about an enterprise firewall, then I don't >> understand--we're talking about a firewall. If it implements a >>symmetric >> NAT in addition to a stateful firewall, then it's implementing the same >> function twice. But, hey, it's your network, if >> security-through-obscurity is one of your defense in depth layers, >>that's >> fine. > >"Obscurity" offers one or more defense layers. If you disagree, post >your passwords here. One that is largely mocked by security professionals. However, ULA can do this. > >Unaddressibility is a second defense layer. I offered ULA+NPT66. I don't recommend it, but it has been described as working, and provides addresses which are not globally reachable. > >Stateful firewalling is a third. We agree. Lee
