On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <suresh@outblaze.com> wrote:
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Dan Senie called me on this one once, and he was right. 1-to-1 NAT is not much of a security feature. Port NAT (PNAT) does, *as a side effect*, provide a measure of meaningful security. as Dan pointed out to me, the code required to implement PNAT is nearly identical to the code required to provide a state keeping firewall similar to what might be done with OpenBSD's PF or Linux's IPTables packages. it doesn't provide the additional useful features of such firewalls, but it does do the minimum. now the consumer PNAT appliances have other issues, and of course PNAT often breaks protocols that make end to end assumptions (which is why i don't like it), but the "not a security feature" thing is not really accurate. the security feature is a side effect, and wasn't the original intent of PNAT, but that doesn't mean it's not there. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security