On 12/3/20 1:54 PM, Christian Huitema wrote:
I understand why you say that. Machines behind a NAT or a stateful
firewall cannot be remotely probed for low level vulnerabilities, so
you do get some reduction of the attack surface. My contention is that
this reduction is far from being sufficient, because attackers have
found many ways to project themselves through NATs or firewalls. If
you allow for unsafe practices because the machines are behind a NAT
or a firewall, these unsafe practices will result in catastrophic
cascades of failures after a single breach happens.
+1
For that matter not even "air gapped" networks are really safe. There's
almost always some laptop or other that occasionally connects to such
networks, and malware can creep in that way.
