Anit-Virus help for all of us??????
alex at relcom.net
Tue Nov 25 06:17:16 UTC 2003
In reality, PAT provides 99.99% of all firewall protection, so if some _very
smart whitehat gay_ is writing _PNAT is not a firewall_, this means only,
that he is very far from reality. Show me, please, any attack, addressed to
the PNAT based system? PNAT is not enioough for a firewall to be a full
featured firewall - it is true; but PNAT provides the same protection, as
any firewall (it just do not allow inbound connections, so you can not
expose any service).
1 - 1 NAT, of course, do not provide any protection. But the _MOST_
important part of all enterprise firewalls (I mean -not most complex, but
those which protects 99.99% of their users) is just PNAT.
Of course, it is true _untl_ we are talking only about _direct_ network
level attacks. What many people missed is that, in _real_ word,
network level firewalls is not enough for the protection, if you use
_standard_ software, you are exposed to worms, viruses and other,
application level, dangers (and firewalls can not help here too much).
Of course, PNAT applianses created a very strange protocol meaning - if
protocl can not work thru PNAT, it 'is not a protocol' - you can not use it
in many cases... And, on the other hand, the better is protocol security,
the worst is this protocol for PNAT - in reality, secure protocol can not be
multi-connection one /as FTP or H.323/.
----- Original Message -----
From: "Richard Welty" <rwelty at averillpark.net>
To: <nanog at merit.edu>
Sent: Monday, November 24, 2003 1:39 PM
Subject: Re: Anit-Virus help for all of us??????
> On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian
<suresh at outblaze.com> wrote:
> > Gerardo Gregory writes on 11/24/2003 4:20 PM:
> > > NAT is not a security feature, neither does it provide any real
> > > security, just one to one translations. PAT fall into the same
> > It is not a cure all and I never said it was one. It cuts the risk down
> > a little, is all.
> Dan Senie called me on this one once, and he was right.
> 1-to-1 NAT is not much of a security feature.
> Port NAT (PNAT) does, *as a side effect*, provide a measure of
> meaningful security.
> as Dan pointed out to me, the code required to implement PNAT is
> nearly identical to the code required to provide a state keeping
> firewall similar to what might be done with OpenBSD's PF or
> Linux's IPTables packages. it doesn't provide the additional useful
> features of such firewalls, but it does do the minimum.
> now the consumer PNAT appliances have other issues, and of course
> PNAT often breaks protocols that make end to end assumptions
> (which is why i don't like it), but the "not a security feature" thing is
> not really accurate. the security feature is a side effect, and wasn't
> the original intent of PNAT, but that doesn't mean it's not there.
> Richard Welty
rwelty at averillpark.net
> Averill Park Networking
> Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
More information about the NANOG