On Mon, Nov 2, 2009 at 9:00 AM, Eliot Lear <[email protected]> wrote: > On 11/2/09 1:34 AM, William Herrin wrote: >> From an architectural point of view, an address-overloaded NAT >> firewall is more secure than stateful-nontranslating and packet >> filtering firewalls > > Please let's not do another half-assed job of analyzing the security of > NATs. If you REALLY want to take this on, then do it in a real paper that > includes a complete threat analysis
Eliot, Even if I cared enough about the topic to do a proper analysis, this is surely not the forum for it. My comment was offered only insofar as it supports Scott's proposal that NAT should be treated as a permanent part of the architecture with whatever impact to routing that happens to have. I manage a number of firewalls both personally and professionally. I use NAT in some of them and packet filters in others, both to excellent effect in their respective scenarios. There are a couple of the NAT scenarios I'd be loath to give up. Regards, Bill Herrin -- William D. Herrin ................ [email protected] [email protected] 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004 _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
