North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anit-Virus help for all of us??????

  • From: Scott Call
  • Date: Mon Nov 24 16:53:03 2003

> NAT is not a security feature, neither does it provide any real
> security, just one to one translations.  PAT fall into the same
> category.

While it may not be a cure-all, a NAT solution offered by most entry-level
routers is an effective, if incomplete security tool.

While it does not prevent stupid user tricks (downloading malware,
misconfiguring NAT to allow incoming connections, etc) it does stop most
non-email worms in their tracks.

For example, from an nmap or other scan of the IP address of my home DSL
connection you would onot see any interesting ports open, even if one or
more of the hosts behind the router were accessing content of some kind.

Worms that spread over open shares and insecure services (windows or
otherwise) do not ever hit any of the machines behind the NAT.

I, of course, run other security solutions (IDS detection/etc) to keep my
skills sharp, but I've pleasantly suprised at the wherewithall of my
little Efficient router and it's NAT implementation.  It's never allowed
any unwanted traffic through from the out side (port 135 crud/etc).

I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT
with PAT holes to allow access to servers) "keeps honest people honest".
Could somebody figure out a way (TCP intercept, etc) to get to a machine
bhind the NAT?  I supose so, but like the blinking red light on the
dashboard of your car, it makes the lazy thief move on to the next car
that doesn't present the apperance of protection.


Scott Call	Router Geek, ATGi, home of $6.95 Prime Rib
"These are the last days of peace in America as you know it.
And we will never be the same." -Mark Morford