North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[2]: Anit-Virus help for all of us??????
In reality, PAT provides 99.99% of all firewall protection, so if some _very smart whitehat gay_ is writing _PNAT is not a firewall_, this means only, that he is very far from reality. Show me, please, any attack, addressed to the PNAT based system? PNAT is not enioough for a firewall to be a full featured firewall - it is true; but PNAT provides the same protection, as any firewall (it just do not allow inbound connections, so you can not expose any service). 1 - 1 NAT, of course, do not provide any protection. But the _MOST_ important part of all enterprise firewalls (I mean -not most complex, but those which protects 99.99% of their users) is just PNAT. Of course, it is true _untl_ we are talking only about _direct_ network level attacks. What many people missed is that, in _real_ word, network level firewalls is not enough for the protection, if you use _standard_ software, you are exposed to worms, viruses and other, application level, dangers (and firewalls can not help here too much). Of course, PNAT applianses created a very strange protocol meaning - if protocl can not work thru PNAT, it 'is not a protocol' - you can not use it in many cases... And, on the other hand, the better is protocol security, the worst is this protocol for PNAT - in reality, secure protocol can not be multi-connection one /as FTP or H.323/. ----- Original Message ----- From: "Richard Welty" <[email protected]> To: <[email protected]> Sent: Monday, November 24, 2003 1:39 PM Subject: Re[2]: Anit-Virus help for all of us?????? > > On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <[email protected]> wrote: > > Gerardo Gregory writes on 11/24/2003 4:20 PM: > > > > NAT is not a security feature, neither does it provide any real > > > security, just one to one translations. PAT fall into the same > > > It is not a cure all and I never said it was one. It cuts the risk down > > a little, is all. > > Dan Senie called me on this one once, and he was right. > > 1-to-1 NAT is not much of a security feature. > > Port NAT (PNAT) does, *as a side effect*, provide a measure of > meaningful security. > > as Dan pointed out to me, the code required to implement PNAT is > nearly identical to the code required to provide a state keeping > firewall similar to what might be done with OpenBSD's PF or > Linux's IPTables packages. it doesn't provide the additional useful > features of such firewalls, but it does do the minimum. > > now the consumer PNAT appliances have other issues, and of course > PNAT often breaks protocols that make end to end assumptions > (which is why i don't like it), but the "not a security feature" thing is > not really accurate. the security feature is a side effect, and wasn't > the original intent of PNAT, but that doesn't mean it's not there. > > richard > -- > Richard Welty [email protected] > Averill Park Networking 518-573-7592 > Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security >
|