[134848] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Jan 12 12:17:53 2011
To: William Herrin <bill@herrin.us>
In-Reply-To: Your message of "Wed, 12 Jan 2011 12:04:01 EST."
<AANLkTi=6u5aWtx6KQpWx02o6qMM-Cnxw+v3MAnPA-Gnp@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 12 Jan 2011 12:16:27 -0500
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1294852587_4778P
Content-Type: text/plain; charset=us-ascii
On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
> In a client (rather than server) scenario, the picture is different.
> Depending on the specific "NAT" technology in use, the firewall may be
> incapable of selecting a target for unsolicited communications inbound
> from the public Internet. In fact, it may be theoretically impossible
> for it to do so. In those scenarios, the presence of NAT in the
> equation makes a large class of direct attacks on the interior host
> impractical, requiring the attacker to fall back on other methods like
> attempting to breach the firewall itself or indirectly polluting the
> responses to communication initiated by the internal host.
Note that the presence of a firewall with a 'default deny' rule for inbound
packets provides the same level of impracticality. And given the fact that
Windows has had a reasonably sane host-based firewall since XP SP2, and the
truly huge number of compromised PC's that sit behind a NAT on a DSL or
cablemodem, it's pretty obvious that the presence of NAT is doing approximately
*zero* to actually slow down the miscreants.
140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
--==_Exmh_1294852587_4778P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFNLeHrcC3lWbTT17ARAl85AKCdb+a0JmiosIXrY8OCFtWolu63lwCg00rK
80VI0Xn5n+/l8fvPd+1K4vA=
=rQ1j
-----END PGP SIGNATURE-----
--==_Exmh_1294852587_4778P--
