Comment by kortilla
17 days ago
> Since there's no way for anyone on the Internet to know which machine on the corporate network is using a Class C address at any given time, it's impossible to establish a telnet or FTP session with any particular device.
This is a security feature ad, nothing else. And it’s 100% because of NAT, not anything else in the PIX feature set.
That came up earlier and I know it's a gray area but I agree with the idea that a line tossed into the marketing and not backed up by the manual weakens the importance. The firewall in the PIX is the security workhorse.
Also that sentence implies you can get a connection to a device, you just know less about which one it is. Is that really a meaningful security feature? To the extent that connections are actually blocked, it's not because of the NAT scrambling they quoted in the first half of that sentence. That sentence is somewhere between unhelpful and flat-out wrong.
No, you cannot get a connection to the device. It’s an un-routable block of RFC 1918 addresses.
> No, you cannot get a connection to the device.
...okay? I didn't say you can. I said that line in the marketing implies you can, as part of how it's wrong.
If that wrong line in the marketing is the strongest evidence for NAT being initially understood as a security feature, that's very weak evidence for the pile.
(If the way I worded things needs more clarification, let me try to elaborate. There is a way in which NAT would prevent the connection, but that aspect of NAT is not what the marketing sentence talked about. It incorrectly talked about a different aspect of NAT. While there could theoretically be a device that uses NAT for protection, this device uses the firewall for protection. Just like basically every other device that can do NAT.)
4 replies →