[benc666]

A layered approach to security (onion model) is the only sane approach because any given layer will always have flaws.

The notion I get from the article is that security becomes a huge problem when every node is exposed to almost every other node by design intent. That's why NAT is mentioned several times.

[TrueDuality]

NAT was never intended to be a firewall and there are mulitple ways of bypassing it to talk to the hosts behind it without them initiating a connection. A new method was just discovered (link: https://samy.pl/slipstream/).

It's very very easy to replicate the filtering behaviour of NAT for situations where its being used that way. Simply block connections into the network that weren't initiated by clients in the network itself. Every stateful firewall can easily handle that and it doesn't come with the security loopholes of NAT.

[bb88]

NAT was never meant to be a true firewall, and just causes so many problems for internet connectivity.

[djhaskin987]

Exactly. Security at the endpoint level, rather than the firewall level, means that those that build those applications are in charge of security. There is no way my multi-business-unit company is going to solely trust developers with its security and compliance story. It's going to hire people whose job it is to secure the network as well. Given that these people don't even know all of the developers (or yet even their managers) inside this multi-business business, the only good thing those people have is firewalls and traffic inspection at large.

[bb88]

You're still going to have a firewall, it just won't be NAT based.

[Dagger2]

NAT isn't even a firewall in the first place. The firewall you need for v6? You've already got it in v4, if you've secured your v4 network.

...which a lot of people haven't, because they falsely believe that NAT by itself is enough to stop all inbound connections to their network.