Is NAT can provide some kind of protection?

William Herrin bill at
Fri Jan 14 08:24:58 CST 2011

On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis at> wrote:
> Unfortunately, a large number of web sites have been compromised, where an
> unseen iFrame might be included in what is normally safe content.  A device
> accessing the Internet through a NATs often creates opportunities for
> unknown sources to reach the device as well.  Once an attacker invokes a
> response, exposures persist, where more can be discovered.  There are also
> exposures related to malicious scripts enabled by a general desire to show
> users dancing fruit.  Microsoft now offers a toolkit that allows users a
> means to 'decide' what should be allowed to see fruit dance.  Users that
> assume local networks are safe are often disappointed when someone on their
> network wants an application do something that proves unsafe.  Methods to
> penetrate firewalls are often designed into 'fun' applications or poorly
> considered OS features.


Passive attacks. Very effective. Breeze past the firewall like it
wasn't there. Hard to target though; work best when you're fishing for
whatever you can get instead of trying to crack a particular system.
Some success combining them with social engineering.

Not terribly relevant to the discussion in this thread. Firewalls
mostly block active attacks where a hacker is pushing unsolicited data
at a host instead of waiting for the host to request data. Whether or
not NAT is involved doesn't really change that larger picture of the
general class of attacks firewalls obstruct.


William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list