North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Re[2]: Anit-Virus help for all of us??????

  • From: Alexei Roudnev
  • Date: Tue Nov 25 01:19:50 2003

In reality, PAT provides 99.99% of all firewall protection, so if some _very
smart whitehat gay_ is writing _PNAT is not a firewall_, this means only,
that he is very far from reality. Show me, please, any attack, addressed to
the PNAT based system? PNAT is not enioough for a firewall to be a full
featured firewall - it is true; but PNAT provides the same protection, as
any firewall (it just do not allow inbound connections, so you can not
expose any service).

1 - 1 NAT, of course, do not provide any protection. But the _MOST_
important part of all enterprise firewalls (I mean  -not most complex, but
those which protects 99.99% of their users) is just PNAT.

Of course, it is true _untl_ we are talking only about _direct_ network
level attacks. What many people missed is that, in _real_ word,
network level firewalls is not enough for the protection, if you use
_standard_ software, you are exposed to worms, viruses and other,
application level, dangers (and firewalls can not help here too much).

Of course, PNAT applianses created  a very strange protocol meaning - if
protocl can not work thru PNAT, it 'is not a protocol' - you can not use it
in many cases... And, on the other hand, the better is  protocol security,
the worst is this protocol for PNAT - in reality, secure protocol can not be
multi-connection one /as FTP or H.323/.



----- Original Message ----- 
From: "Richard Welty" <rwelty@averillpark.net>
To: <nanog@merit.edu>
Sent: Monday, November 24, 2003 1:39 PM
Subject: Re[2]: Anit-Virus help for all of us??????


>
> On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian
<suresh@outblaze.com> wrote:
> > Gerardo Gregory  writes on 11/24/2003 4:20 PM:
>
> > > NAT is not a security feature, neither does it provide any real
> > > security, just one to one translations.  PAT fall into the same
>
> > It is not a cure all and I never said it was one.  It cuts the risk down
> > a little, is all.
>
> Dan Senie called me on this one once, and he was right.
>
> 1-to-1 NAT is not much of a security feature.
>
> Port NAT (PNAT) does, *as a side effect*, provide a measure of
> meaningful security.
>
> as Dan pointed out to me, the code required to implement PNAT is
> nearly identical to the code required to provide a state keeping
> firewall similar to what might be done with OpenBSD's PF or
> Linux's IPTables packages. it doesn't provide the additional useful
> features of such firewalls, but it does do the minimum.
>
> now the consumer PNAT appliances have other issues, and of course
> PNAT often breaks protocols that make end to end assumptions
> (which is why i don't like it), but the "not a security feature" thing is
> not really accurate. the security feature is a side effect, and wasn't
> the original intent of PNAT, but that doesn't mean it's not there.
>
> richard
> -- 
> Richard Welty
rwelty@averillpark.net
> Averill Park Networking
518-573-7592
>     Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
>