I've been busy and have neglected some of my usual reading. In fact, I've hardly touched the April Issue of Business Communications Review magazine. So with some prompting from Pete I took the time to read an article about next generation challenges for firewalls.

The article pointed out how most networks rely on Network Address Translation (NAT) to minimize the need to use real IP addresses. Back a few years ago a lot of us began to panic when IP addresses were getting scarce. NAT came along and seemed to be a great solution.

Now firewall manufacturers are trying to deal with VoIP and SIP applications in a more complicated NAT environment. The questions raised in the article is whether the specialized software for overcoming NAT issues belongs in the firewall or in an external appliance specifically suited for translating between NAT addressed devices and the Internet.

The argument, from the standpoint of the article, comes down between the appliance manufacturers and the firewall manufacturers. Cisco and Check Point assert that dealing with NAT devices doesn't take much CPU cycle time and therefore is perfectly suited for the firewall. I believe that they completely miss the point.

Is CPU cycle time the real issue here? What about complexity?

Pete's point to me was simple. Isn't NAT the real problem? Get rid of that and get rid of the need for this whole argument. And what is the solution for getting rid of NAT? Simple:

IPv6

So, instead of solving problems, NAT has become, at least in part, the problem. For the vendors to get serious about IPv6 we must take it seriously. And we must stop messing around with NAT and other distractions.........
6:20:26 PM    comment []