On Tue, Apr 20, 2010 at 9:34 PM, Karl Auer <[email protected]> wrote: > On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: >> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: >> > NAT _always_ fails-closed >> Stateful Inspection can be implemented fail-closed. > > Not to take issue with either statement in particular, but I think there > needs to be some consideration of what "fail" means.
Fail means that an inexperienced admin drops a router in place of the firewall to work around a priority problem while the senior engineer is on vacation. With NAT protecting unroutable addresses, that failure mode fails closed. Regards, Bill Herrin -- William D. Herrin ................ [email protected] [email protected] 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
