Re: [arin-announce] IPv4 Address Space (fwd)

[Scott McGrath <mcgrath () fas harvard edu>]

That was _exactly_ the point I was attempting to make.  If you recall
there was a case recently where a subcontractor at a power generation
facility linked their system to an isolated network which gave
unintentional global access to the isolated network.  a NAT at the
subcontrator's interface would have prevented this.


                            Scott C. McGrath

On Wed, 29 Oct 2003, Jack Bates wrote:

> David Raistrick wrote:
>
> > You seem to be arguing that NAT is the only way to prevent inbound access.
> > While it's true that most commercial IPv4 firewalls bundle NAT with packet
> > filtering, the NAT is not required..and less-so with IPv6.
>
> I think the point that was being made was that NAT allows the filtering 
> of the box to be more idiot proof. Firewall rules tend to be complex, 
> which is why mistakes *do* get made and systems still get compromised. 
> NAT interfaces and setups tend to be more simplistic, and the IP 
> addresses of the device won't route publicly through the firewall or any 
> unknown alternate routes.
>
> -Jack
<