North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re[2]: Anit-Virus help for all of us??????

  • From: Richard Welty
  • Date: Mon Nov 24 16:46:05 2003

On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <[email protected]> wrote:
> Gerardo Gregory  writes on 11/24/2003 4:20 PM:
 
> > NAT is not a security feature, neither does it provide any real 
> > security, just one to one translations.  PAT fall into the same 
 
> It is not a cure all and I never said it was one.  It cuts the risk down 
> a little, is all.

Dan Senie called me on this one once, and he was right.

1-to-1 NAT is not much of a security feature.

Port NAT (PNAT) does, *as a side effect*, provide a measure of
meaningful security.

as Dan pointed out to me, the code required to implement PNAT is
nearly identical to the code required to provide a state keeping
firewall similar to what might be done with OpenBSD's PF or
Linux's IPTables packages. it doesn't provide the additional useful
features of such firewalls, but it does do the minimum.

now the consumer PNAT appliances have other issues, and of course
PNAT often breaks protocols that make end to end assumptions
(which is why i don't like it), but the "not a security feature" thing is
not really accurate. the security feature is a side effect, and wasn't
the original intent of PNAT, but that doesn't mean it's not there.

richard
-- 
Richard Welty                                         [email protected]
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security