On Feb 6, 2009, at 7:06 PM, Matthew Moyle-Croft wrote:
Stephen Sprunk wrote:
You must be very sheltered. Most end users, even "security" folks
at major corporations, think a NAT box is a firewall and disabling
NAT is inherently less secure. Part of that is factual: NAT (er,
dynamic PAT) devices are inherently fail-closed because of their
design, while a firewall might fail open. Also, NAT prevents some
information leakage by hiding the internal details of the site's
network, and many folks place a high value on "security" through
obscurity. This is understandable, since the real threats --
uneducated users and flawed software -- are ones they have no power
to fix.
It's also worth pointing out that CPE for DSL often has really poor
stateful firewall code. So often turning it off means less issues
for home users. At least NAT gives some semblance of protection.
IPv6 without NAT might be awesome to some, but the reality is CPE is
built to a price and decent firewall code is thin on the ground.
I'm not hopeful of it getting better when IPv6 starts to become
mainstream.
IPTables is decent firewall code.
It's free.
I don't buy that argument for a second.
Further, since more and more CPE is being built on embedded linux,
there's no reason
that IPTables isn't a perfectly valid approach to the underlying
firewall code.
Owen
(In case it's not clear - I'm not talking about enterprise stuff -
I'm talking about CPE for domestic DSL/Cable users - please don't
tell me all about how cool NetScreen/PIX/ASA/<insert favourite fw>
is for enterprise).
MMC
--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: m...@internode.com.au Web: http://www.on.net
Direct: +61-8-8228-2909 Mobile: +61-419-900-366
Reception: +61-8-8228-2999 Fax: +61-8-8235-6909