At 06:00 PM 11/22/2004, Fred Baker wrote:
At 12:10 PM 11/22/04 -0800, Chris Palmer wrote:
There's another feature of NAT that is desirable that has not yet been
mentioned, and which at least some customers may be cognizant of: the
fact that NAT is a pretty restrictive firewall.
would that it were true. In fact, it is pretty easy to breech. All one has
to do is ddos with a the right port prefix, observe a response of any
kind, and you can ddos right through it.
I take it Cisco NAT implementations are not very well implemented then.
An actual stateful firewall is a good thing. NAT mostly has the effect of
deluding the person behind it into thinking they have a security solution.
Stop there. Fred, I am sure you've read or written the code to implement:
a) a stateful inspection firewall
b) a NAPT implementation (what most folks think of when they talk about NAT).
The code is NEARLY identical. In fact, the lookup tables used just need an
extra column to track some additional information.
Please stop with the argument that NAT and stateful inspection firewalls
are different beasts. The software to implement them is basically
identical. If you dislike NATs, say so, but this old argument about NAT
boxes not providing security provided by stateful inspection firewalls is
just not an honest one.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf