NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category.
While it may not be a cure-all, a NAT solution offered by most entry-level routers is an effective, if incomplete security tool. While it does not prevent stupid user tricks (downloading malware, misconfiguring NAT to allow incoming connections, etc) it does stop most non-email worms in their tracks. For example, from an nmap or other scan of the IP address of my home DSL connection you would onot see any interesting ports open, even if one or more of the hosts behind the router were accessing content of some kind. Worms that spread over open shares and insecure services (windows or otherwise) do not ever hit any of the machines behind the NAT. I, of course, run other security solutions (IDS detection/etc) to keep my skills sharp, but I've pleasantly suprised at the wherewithall of my little Efficient router and it's NAT implementation. It's never allowed any unwanted traffic through from the out side (port 135 crud/etc). I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT with PAT holes to allow access to servers) "keeps honest people honest". Could somebody figure out a way (TCP intercept, etc) to get to a machine bhind the NAT? I supose so, but like the blinking red light on the dashboard of your car, it makes the lazy thief move on to the next car that doesn't present the apperance of protection. -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib "These are the last days of peace in America as you know it. And we will never be the same." -Mark Morford