In reality, PAT provides 99.99% of all firewall protection, so if some _very smart whitehat gay_ is writing _PNAT is not a firewall_, this means only, that he is very far from reality. Show me, please, any attack, addressed to the PNAT based system? PNAT is not enioough for a firewall to be a full featured firewall - it is true; but PNAT provides the same protection, as any firewall (it just do not allow inbound connections, so you can not expose any service). 1 - 1 NAT, of course, do not provide any protection. But the _MOST_ important part of all enterprise firewalls (I mean -not most complex, but those which protects 99.99% of their users) is just PNAT. Of course, it is true _untl_ we are talking only about _direct_ network level attacks. What many people missed is that, in _real_ word, network level firewalls is not enough for the protection, if you use _standard_ software, you are exposed to worms, viruses and other, application level, dangers (and firewalls can not help here too much). Of course, PNAT applianses created a very strange protocol meaning - if protocl can not work thru PNAT, it 'is not a protocol' - you can not use it in many cases... And, on the other hand, the better is protocol security, the worst is this protocol for PNAT - in reality, secure protocol can not be multi-connection one /as FTP or H.323/. ----- Original Message ----- From: "Richard Welty" <rwelty@averillpark.net> To: <nanog@merit.edu> Sent: Monday, November 24, 2003 1:39 PM Subject: Re[2]: Anit-Virus help for all of us??????
On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian
<suresh@outblaze.com> wrote:
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Dan Senie called me on this one once, and he was right.
1-to-1 NAT is not much of a security feature.
Port NAT (PNAT) does, *as a side effect*, provide a measure of meaningful security.
as Dan pointed out to me, the code required to implement PNAT is nearly identical to the code required to provide a state keeping firewall similar to what might be done with OpenBSD's PF or Linux's IPTables packages. it doesn't provide the additional useful features of such firewalls, but it does do the minimum.
now the consumer PNAT appliances have other issues, and of course PNAT often breaks protocols that make end to end assumptions (which is why i don't like it), but the "not a security feature" thing is not really accurate. the security feature is a side effect, and wasn't the original intent of PNAT, but that doesn't mean it's not there.
richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security