On Monday, July 02, 2007 07:01:28 AM -0700 "Hallam-Baker, Phillip"
<pbaker@xxxxxxxxxxxx> wrote:
And from a security point I want to see as much NAT as possible.
Whereas I want my applications to work, and people to stop conflating NAT
and firewalls.
You don't want to see as much NAT as possible; you want to see as much
blocking of inbound connections to consumers as possible, and for some
reason you seem to think that a firewall which does that must necessarily
also be a NAT. In fact, it does not; it's perfectly reasonable to build a
box that can be sold for <$50 which sits between a subscriber's computer
and the Internet and provides a basic firewall. Such a thing could be
combined in the same box as an ethernet switch, wireless AP, maybe a basic
router, DNS cache, and so on. In fact, plenty of such boxes are sold
today, except they all come with NAT turned on by default.
That is _not_ because NAT makes the network more secure - it doesn't.
It's because most of the people buying those boxes "need" NAT because their
ISP's won't give them more than one address, or at least won't do so for a
reasonable price. Fix _that_ problem, and you'll start seeing boxes that
provide security and flexibility without needing NAT.
Frankly, Phill, I'm surprised and disappointed that you are not only making
such a basic mistake, but spreading FUD about it.
-- Jeff
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf