On 7/2/07 9:14 PM, "David Morris" <dwm(_at_)xpasc(_dot_)com> wrote:
As the administrator of several small networks, it is quite simple. By
re-writing the address, the NAT is a defacto default deny.
A lot of administrators feel that way, and I undersatnd
why (NAT is basically configuration-free, for the moment).
However, for the past 7 years (at least), currently, and
for the foreseeable future manufacturers, users, application
authors, and standards bodies like the IETF, the ITU-T,
PacketCable, and the various 3s are working hard at finding
ways to bypass NAT "security" outside of any consideration
of policy and without giving the user control of the process.
(Control will belong to applications). And incidentally,
each of these new NAT bypass techniques introduces new
security exposures, some by virtue of the fact that they're
bypassing what some people think is security and others by
virtue of the fact that they're actually not secure.
Good luck to all of us in staying on top of all of them.
I have a lot
more trust in the simplicity of a basic NAT in a consumer firewall then I
do in any firewall which has to examine each packet for conformance to
complex policy rules.
"Drop all inbound traffic" is complex?
Melinda
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf