[arin-ppml] Set aside round deux
Roger Marquis
marquis at roble.com
Wed Aug 4 00:45:48 EDT 2010
Kevin Kargel wrote:
> A simple stateful inspection firewall will provide at least as much
> security as NAT, be much simpler with less overhead, simplify
> troubleshooting and provide an easy method of reversal should rolls change
> or troubleshooting require.
This has been gone over here before but please do explain what NAT breaks
that wouldn't have otherwise been dealt with by statefull inspection?
Yes we know that UPNP and dirt-cheap CPE break easily. Most recognize
this as an implementation and not a protocol issue.
> NAT/PAT breaks many common consumer applications, requiring complex
> workarounds that consume much helpdesk time. NAT costs my organization time
> (s/time/money/g) every day when we have to deal with it.
Really? "many common consumer applications", such as?
> That time would be much reduced if we could simply add an 'allow' rule
> rather than going through the steps to properly configure PAT.
Good luck selling "we could simply add an 'allow' rule" to the security
officer. Consider too that even organizations with sufficient addresses
space (from legacy allocations) still use NAT on their internal networks.
This is because they have network engineers who understand security.
Roger Marquis
More information about the ARIN-PPML
mailing list