On 11/2/09 1:34 AM, William Herrin wrote:
> From an architectural point of view, an address-overloaded NAT firewall is more secure than stateful-nontranslating and packet filtering firewalls because an error in the firewall is not capable of opening up the span of internal hosts to direct access from the external network. It's security is beat only by the application-layer proxy which is much much uglier.
Please let's not do another half-assed job of analyzing the security of NATs. If you REALLY want to take this on, then do it in a real paper that includes a complete threat analysis, such as what happens in the real world today with browser attacks that REALLY don't care about IP addresses.
Eliot _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
