Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
From: Marcus J. Ranum (mjr_at_ranum.com)
To: Victor Williams <firstname.lastname@example.org>, David Lang <email@example.com> Date: Mon, 25 Jul 2005 21:40:57 -0400
Victor Williams wrote:
>The whole reason NAT was implemented was because of a very finite (and quickly running out supply, dependending on who you ask) number of publicly routable IP addresses.
Actually, it wasn't. That was something on the horizon, but at the time when
we first started selling firewalls IP addresses were still fairly easy to get.
The first firewalls I built offered NAT (inherent in the design and then later via
"Proxy transparency" in Gauntlet) because a lot of the early firewall customers
had IP address ranges that they had picked out of a hat. Only a very few
sophisticated customers had internal routing. A lot of Sun customers were
using Sun's address range because that's what SunOS' install offered as a
So, you have a FORTUNE-big firm that just plunked down $75,000 for
an Internet gateway. Your choice is: re-address their network or NAT
their traffic. Hmmmm... Let me think about that...
It also didn't hurt that back in those days most customers actually were
more concerned with security than they are now. So, when you explained
to them that there was no IP routed between their network and the
Internet, and that the firewall represented a controlled topological gateway
between 2 incompatible networks, they "got it." Of course most of those
old-school security admins have long since been overruled, outmaneuvered,
and moved into other chains of command so that they no longer
firewall-wizards mailing list