DS> Date: Mon, 4 Jun 2007 16:27:14 -0700 DS> From: David Schwartz [ snipped throughout ] DS> I can give you the root password to a Linux machine running telnetd DS> and sshd. If it's behind NAT/PAT, you will not get into it. Period. DS> DS> I can give you the administrator password to a Windows machine with DS> file sharing wide open. If it's behind NAT/PAT, you will not get DS> into it. Period. I can do the same without NAT/PAT. Period. The benefits are from "disallow new inbound by default", *not* address muxing. N + S = true !N + S = true N + !S = invalid state (can't happen) !N + !S = false Note carefully how one can simplify the truth table to S = true !S = invalid / false A "true" outcome depends on the presence of "S". It is independent of "N". DS> The only ways into these machines would be if the NAT/PAT device DS> were misconfigured, another machine on the secure network were DS> compromised, or another gateway into the secure network was set up. DS> Guess what? All of these things would defeat a stateful inspection DS> firewall as well. Red herring and straw man. The argument is: "Does NAT/PAT address- hiding provide special benefit due to the fact that IP addresses are being muxed?" See above truth table. DS> A large class of security vulnerabilities require the attacker to DS> reach out to the machine first, and NAT/PAT stops those attacks DS> completely. No. Stateful filtering stops those attacks completely. NAT/PAT works merely by its automatic inclusion of stateful filtering, and _ipso facto_ does nothing. See above truth table. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.