[64662] in North American Network Operators' Group
Re: [arin-announce] IPv4 Address Space (fwd)
daemon@ATHENA.MIT.EDU (Scott McGrath)
Thu Oct 30 09:28:54 2003
Date: Thu, 30 Oct 2003 09:22:50 -0500 (EST)
From: Scott McGrath <mcgrath@fas.harvard.edu>
To: Jack Bates <jbates@brightok.net>
Cc: nanog@merit.edu
In-Reply-To: <3FA030BF.8020800@brightok.net>
Errors-To: owner-nanog-outgoing@merit.edu
That was _exactly_ the point I was attempting to make. If you recall
there was a case recently where a subcontractor at a power generation
facility linked their system to an isolated network which gave
unintentional global access to the isolated network. a NAT at the
subcontrator's interface would have prevented this.
Scott C. McGrath
On Wed, 29 Oct 2003, Jack Bates wrote:
>
> David Raistrick wrote:
>
> >
> > You seem to be arguing that NAT is the only way to prevent inbound access.
> > While it's true that most commercial IPv4 firewalls bundle NAT with packet
> > filtering, the NAT is not required..and less-so with IPv6.
> >
>
> I think the point that was being made was that NAT allows the filtering
> of the box to be more idiot proof. Firewall rules tend to be complex,
> which is why mistakes *do* get made and systems still get compromised.
> NAT interfaces and setups tend to be more simplistic, and the IP
> addresses of the device won't route publicly through the firewall or any
> unknown alternate routes.
>
> -Jack
>
<
