[65367] in North American Network Operators' Group
Re[2]: Anit-Virus help for all of us??????
daemon@ATHENA.MIT.EDU (Richard Welty)
Mon Nov 24 16:46:50 2003
Date: Mon, 24 Nov 2003 16:39:27 -0500 (EST)
From: Richard Welty <rwelty@averillpark.net>
To: nanog@merit.edu
In-Reply-To: <3FC27750.4030202@outblaze.com>
Reply-To: Gerardo Gregory <ggregory@affinitas.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <suresh@outblaze.com> wrote:
> Gerardo Gregory writes on 11/24/2003 4:20 PM:
> > NAT is not a security feature, neither does it provide any real
> > security, just one to one translations. PAT fall into the same
> It is not a cure all and I never said it was one. It cuts the risk down
> a little, is all.
Dan Senie called me on this one once, and he was right.
1-to-1 NAT is not much of a security feature.
Port NAT (PNAT) does, *as a side effect*, provide a measure of
meaningful security.
as Dan pointed out to me, the code required to implement PNAT is
nearly identical to the code required to provide a state keeping
firewall similar to what might be done with OpenBSD's PF or
Linux's IPTables packages. it doesn't provide the additional useful
features of such firewalls, but it does do the minimum.
now the consumer PNAT appliances have other issues, and of course
PNAT often breaks protocols that make end to end assumptions
(which is why i don't like it), but the "not a security feature" thing is
not really accurate. the security feature is a side effect, and wasn't
the original intent of PNAT, but that doesn't mean it's not there.
richard
--
Richard Welty rwelty@averillpark.net
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
