Re: Why people by NATs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 06:00 PM 11/22/2004, Fred Baker wrote:
At 12:10 PM 11/22/04 -0800, Chris Palmer wrote:
There's another feature of NAT that is desirable that has not yet been
mentioned, and which at least some customers may be cognizant of: the
fact that NAT is a pretty restrictive firewall.

would that it were true. In fact, it is pretty easy to breech. All one has to do is ddos with a the right port prefix, observe a response of any kind, and you can ddos right through it.

I take it Cisco NAT implementations are not very well implemented then.


An actual stateful firewall is a good thing. NAT mostly has the effect of deluding the person behind it into thinking they have a security solution.

Stop there. Fred, I am sure you've read or written the code to implement:

a) a stateful inspection firewall

b) a NAPT implementation (what most folks think of when they talk about NAT).

The code is NEARLY identical. In fact, the lookup tables used just need an extra column to track some additional information.

Please stop with the argument that NAT and stateful inspection firewalls are different beasts. The software to implement them is basically identical. If you dislike NATs, say so, but this old argument about NAT boxes not providing security provided by stateful inspection firewalls is just not an honest one.



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]