Is NAT can provide some kind of protection?

Jack Bates jbates at brightok.net
Fri Jan 14 08:13:04 CST 2011


On 1/13/2011 10:50 PM, Douglas Otis wrote:
> Unfortunately, a large number of web sites have been compromised, where
> an unseen iFrame might be included in what is normally safe content.  A
> device accessing the Internet through a NATs often creates opportunities
> for unknown sources to reach the device as well.  Once an attacker
> invokes a response, exposures persist, where more can be discovered.
> There are also exposures related to malicious scripts enabled by a
> general desire to show users dancing fruit.  Microsoft now offers a
> toolkit that allows users a means to 'decide' what should be allowed to
> see fruit dance.  Users that assume local networks are safe are often
> disappointed when someone on their network wants an application do
> something that proves unsafe.  Methods to penetrate firewalls are often
> designed into 'fun' applications or poorly considered OS features.

I have to agree with this, but I believe it is outside the scope of what 
NAT or stateful firewalls provide. Neither is designed to mitigate this 
attack. Application level filtering within such firewalls often are 
designed to protect users in this case.

Application level filtering, however, does not protect from the cell 
phone hidden in a box which was sent to the wrong party and awaiting to 
be shipped back.

There is not, and will probably never be, a single solution and approach 
to security.


Jack




More information about the NANOG mailing list