Is NAT can provide some kind of protection?

[skurylo+nanog at gmail.com (Steven Kurylo)]

On Wed, Jan 12, 2011 at 9:36 AM, Jack Bates <jbates at brightok.net> wrote:
>
> As my corp IT guy put it to me, PAT forces a routing disconnect between
> internal and external. There is no way to reach the hosts without the
> firewall performing it's NAT function.

But that's not true.  If you have NAT, without a firewall, I can
access your internal hosts (by addressing their RFC 1918 address)
because you'll be leaking your RFC 1918 addresses in and out.
Granted, I might have to be in your immediate upstream, but it can be
done.

So at best, all it does is limit how many hops away I need to be from
you to attack you.

Some benefit?  Yes.  Enough benefit to be worth the trouble?  I
personally am not convinced.

Considering the amount of people who mistake the amount of security
NAT provides, we're probably better off without it to remove that
false sense of security.