Re: ISPs can easily decrease net abuse

From: Melinda Shore (
Date: 12/07/03

Date: 7 Dec 2003 15:46:55 -0500

In article <>,
Leythos <> wrote:
>So, let me get this understood - you are staying that it's more secure
>for a person to have a standard Windows based computer directly
>connected to the internet than it is to have it behind a router
>utilizing NAT (or PAT)??????

I'm saying that it's more secure to be behind a firewall and
to secure your applications than it is to use a NAT to
provide firewalling functions. 'Tain't that complicated.
Worse, if you're behind a NAT and you want to start using
applications that assume reachability, whether it's
peer-to-peer apps, videoconferencing, and so on, you're
going to need to rely on technologies that introduce
security holes that wouldn't exist if you didn't have a NAT
there in the first place. This is a well-understood
problem in many quarters.

Bob Frankston, who's one of the inventors of NAT, says that
NAT is one of the biggest mistakes he made

Microsoft's Jawad Khaki is on the road complaining loudly
about NAT - he sees it as an impediment to Microsoft being
able to sell new services, and he's right. Time after time
after time I've seen people sit down to try to figure out
how to get their stuff to work across a NAT and be
transformed into foaming-at-the-mouth NAT haters because
it's really not possible to do it securely, efficiently, and
robustly. NAT doesn't make your network more secure, it
makes it less secure, and it makes your network far less
valuable by putting artificial limits on what you can do
with it. You've been sold a bill of goods by people who
profit specifically from the putative scarcity of IPv4

     Melinda Shore - Software longa, hardware brevis -
            Bad taste is better than no taste -- Arnold Bennett