Possible Duplicate:
Switch to IPv6 and get rid of NAT? Are you kidding?
I'm thinking about the way that in IPv4 most of the time you have a single point to configure a firewall on, mainly your router, but if everybody has a Globally Accessible IP Address, doesn't that mean that each computer user is basically responsible for managing their own firewall?
(I mean I'll admit the same is true when using a public wifi access point, but still...)
IPv6 gets rid of NAT, which has certainly been a large part of avoiding accidental exposure of services to the internet from internal hosts.. so in that way, yes, it's a change to how most everyone is doing things.
However, it doesn't at all mean that you won't still have a central firewall at the network edge - the change is simply that it'll be acting as a pure firewall instead of a firewall/NAT device. It'll just be up to the people managing those firewalls to make sure to avoid accidentally exposure of services; fire up the deny rules!
Getting rid of NAT is a big change to network security practices, and there will certainly be times before too long that we hear about some accidental information exposure breaches due to misconfigured firewalls and IPv6. But NAT has always been a hack, and getting the firewalls out of the business of tracking all of those connections and fake connections for stateless protocols and port translations will be a good thing in the long run - less complexity sounds good to me!
No it is not a nightmare. NAT and private addresses were not created for security reasons, they were created because IPv4 addresses have been running out.
I’ll admit that using public IPs seems scary, but for security, you should trust your FIREWALL, not your NAT.
Read this another question on server fault about this same point. A lot of standards that spoke about NAT as security have changed, as an example the PCI-DSS standards were amended in late October 2010 and the NAT requirement was removed (section 1.3.8 of v1.2).
If you don't stop that fear then you will never have all the advantages of incredible technologies like Windows 7 Direct Access.
Every computer should already be responsible for managing their own firewall.
that said, just because you loose NAT does not mean you loose all the benefits (You can still have NAT on ipv6) You can still have stateful firewalls on routers and other firewall rules can be added too in a simmilar way as ipv4.
The only difference is that you may be able to identify the exact computer from within a private network and if thats a problem you can install NAT.
Its still possible to block random port scans ect.. from a router
This question is based on the common misconception that because NAT inadvertently provides some security, it's a firewall technology. This misconception can be cleared up with a simple thought experiment: Imagine an IPv4 NAT box that only has one client. It could, if it wanted to, forward all inbound traffic to that client and filter nothing at all, providing no security whatsoever. So why aren't you worried about that?
Many universities (and several large companies) have valid, routable IP's on every single computer. That does not mean there is not a gateway firewall device. It doesn't mean you can reach that device from the internet either. Most of the time, the firewalls are set to block all traffic by default.. It does, however, guarantee that their computer is on a globally unique address.
If you use NAT, things just plain get nasty.. IE, you want to setup a VPN between you and your customer, but you both have internal networks of 192.168.1.x.. this means, you have to then NAT the natted connections, to make them appear to be a different internal only IP, which makes things just get ugly in a hurry. ( I have to do that with 5 other companies we have VPN's with)