nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Valdis.Kletnieks () vt edu
Date: Wed, 12 Jan 2011 12:16:27 -0500
On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
In a client (rather than server) scenario, the picture is different. Depending on the specific "NAT" technology in use, the firewall may be incapable of selecting a target for unsolicited communications inbound from the public Internet. In fact, it may be theoretically impossible for it to do so. In those scenarios, the presence of NAT in the equation makes a large class of direct attacks on the interior host impractical, requiring the attacker to fall back on other methods like attempting to breach the firewall itself or indirectly polluting the responses to communication initiated by the internal host.
Note that the presence of a firewall with a 'default deny' rule for inbound packets provides the same level of impracticality. And given the fact that Windows has had a reasonably sane host-based firewall since XP SP2, and the truly huge number of compromised PC's that sit behind a NAT on a DSL or cablemodem, it's pretty obvious that the presence of NAT is doing approximately *zero* to actually slow down the miscreants. 140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
Attachment:
_bin
Description:
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Jim Gettys (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 16)
- Re: Is NAT can provide some kind of protection? Jim Gettys (Jan 16)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Dave Pooser (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? Nathan Eisenberg (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)