DDOS attacks and Large ISPs doing NAT?

Alexei Roudnev alex at relcom.EU.net
Fri May 3 09:13:21 UTC 2002


> > A NAT'd cell phone
> > wont, cant ever, respond to an unsolicited connection request.
>
> A NAT is not a firewall.
>
> A firewall is not a NAT.
>
> Some vendors bundle firewall functionality with NAT functionality, just as
> some vendors bundle SNA with IP.
>
> Please stop perpetuating the myth that a NAT is a security device.


It is not a myth; NAT (PNAT, to be correct) just allow internal users to have
SECURE access to the outer world without a reverce access (it is 50 - 60% of the
firewall functionality). So, NAT is equal to the firewall for the outgoing calls.

Of course, static NAT does not provide any firewall functionality, and NAT do
nothing to protect inbound services, so to pprotect such services (if any exist)
you need _real_ firewall. To protect internal network, there is not a best way
than to have a NAT (of course, firewall with NAT is better, and all modern devices
provide botjh functionality, but if I select what's better - NAT device without
firewall or firewall without the NAT, and I'll have only outbound calls, I'll
choose a NAT).






More information about the NANOG mailing list