begin quoting Tracy R Reed as of Thu, May 25, 2006 at 02:14:29PM -0700: > Neil Schneider wrote: > >And the fact that developers can't document the network interfaces to > >their software so that proxies can be built is a failure to understand > >the requirements of network security. It always seems to be the fault > >of the security admin because the application is badly behaved and > >requires that all inbound ports be open to allow it to function. > >Programmers should be denied the ability to write network software if > >they can't clearly define which incoming and outgoing ports their > >application will require. > > I don't think this is the problem at all. The problem is that it is very > nice to be able to use ephemeral ports. But this is directly at odds > with NAT.
s/NAT/firewalls and NAT/ [snip] > NAT has nothing directly to do with security anyway as far as I am > concerned. Correct. > The security component of any NAT device is just a packet > filter. Deny all incoming connections. You can do this without NAT. Yes. It's called a firewall. A NAT has one additional property that's nice -- it hides my internal network _structure_. My ISP wants to charge me per IP address used, so I can use as few of 'em as I want. > At this point I wish HTTP would have been better if it were implemented > such that it did not work with NAT. Then we would all have been forced > to move to IPv6 a long time ago and this NAT sillyness would have died > the quick death it so richly deserves instead of making us all suffer > for years on end. I'm just waiting for NAT to kill all this IPv6 silliness like it richly deserves so that IPv6 advocates can stop annoying us for years on end. See? I can do it too. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
