North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Another driver for v6?

  • From: Jack Bates
  • Date: Wed Oct 29 10:21:54 2008

Brandon Butterworth wrote:
as I am very tired of all the problems caused by multiple
layers of NATs and PAT.

Likewise but more because people keep designing stuff to try and force others to get rid of them, ignoring why they have them.

A false sense of security? The belief that hiding behind a single IP might disguise how many hosts you have, which in turn might provide some form of hidden security?

Inside the network, host to host security is what should be. This can assist in some protection against bots that do make it to the network, or internal maliciousness. Security from within has always been overlooked by many, and yet it is the employees who provide the largest security risk.

Stateful firewalls will not be going away entirely, but they can track state and perform proxy services without performing address translation. It just scares people because of their false belief that translating an address shows that security is working. If stateful monitoring/proxying/limiting is not in working, the address translation doesn't really matter.

NAT has had it's uses, but it's lazy and a false sense of overall security. I do think Microsoft is crazy if they think the need for VPN will disappear, unless they have another method for the stateful firewalls to snoop, monitor, and alter the IPSEC host to host packets (which isn't entirely impossible).

Jack Bates