Stewart Stremler wrote:
NAT is a godsend and should rule the day; process level IPs should be
implemented as NAT'd 127.x.x.x IPs and mediated by the OS kernel to the
appropriate static IP. We need to make sure we start implementing NAT
functionality in IPv6-capable firewalls.
Who are you and what have you done with Stewart?
NAT is the *worst* possible solution. It gives the illusion of security
while breaking the end-to-end nature of the Internet which made all of
these nice applications feasible.
On top of this, anything *behind* the NAT is free to infect anything
else behind the NAT.
Don't get me started about the number of RFC 1918 space queries that
still manage to make it to the Root DNS servers.
Finally, the worst security problems are *still* caused by stupid people
opening email and programs with viruses. Including Sony DRM ...
Although, what I think you are proposing is less like NAT and more like
host-based security.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
