- From: Brian E Carpenter <brian@hursley.ibm.com>
- Date: Tue, 03 Dec 2002 13:19:23 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: discuss@apps.ietf.org
Mark Nottingham wrote: ... > > It's a start, but in many companies, the policy in place dictates that no > external connections to internal addresses may be made. Furthermore, many > companies use black-hole routing to control external access; i.e., they're > using double-NAT on the gateways to completely isolate the networks' > addressing, and force use of an intermediary in the DMZ for all traffic > from the inside to out. But there's a gross non-sequitur in this: NAT is irrelevant to enforcing such a policy. You don't need NAT to black-hole traffic; you just configure your routing accordingly, on both sides of the DMZ. Plenty of companies protect their assets that way. There are lying salesmen who pretend otherwise. There are network managers who fall for the lies and FUD. Brian
Received on Tuesday, 3 December 2002 07:20:39 UTC