Anit-Virus help for all of us??????
rwelty at averillpark.net
Mon Nov 24 21:39:27 UTC 2003
On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <suresh at outblaze.com> wrote:
> Gerardo Gregory writes on 11/24/2003 4:20 PM:
> > NAT is not a security feature, neither does it provide any real
> > security, just one to one translations. PAT fall into the same
> It is not a cure all and I never said it was one. It cuts the risk down
> a little, is all.
Dan Senie called me on this one once, and he was right.
1-to-1 NAT is not much of a security feature.
Port NAT (PNAT) does, *as a side effect*, provide a measure of
as Dan pointed out to me, the code required to implement PNAT is
nearly identical to the code required to provide a state keeping
firewall similar to what might be done with OpenBSD's PF or
Linux's IPTables packages. it doesn't provide the additional useful
features of such firewalls, but it does do the minimum.
now the consumer PNAT appliances have other issues, and of course
PNAT often breaks protocols that make end to end assumptions
(which is why i don't like it), but the "not a security feature" thing is
not really accurate. the security feature is a side effect, and wasn't
the original intent of PNAT, but that doesn't mean it's not there.
Richard Welty rwelty at averillpark.net
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
More information about the NANOG