Re: Is NAT can provide some kind of protection?

[Valdis.Kletnieks () vt edu]

On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:

> In a client (rather than server) scenario, the picture is different.
> Depending on the specific "NAT" technology in use, the firewall may be
> incapable of selecting a target for unsolicited communications inbound
> from the public Internet. In fact, it may be theoretically impossible
> for it to do so. In those scenarios, the presence of NAT in the
> equation makes a large class of direct attacks on the interior host
> impractical, requiring the attacker to fall back on other methods like
> attempting to breach the firewall itself or indirectly polluting the
> responses to communication initiated by the internal host.

Note that the presence of a firewall with a 'default deny' rule for inbound
packets provides the same level of impracticality. And given the fact that
Windows has had a reasonably sane host-based firewall since XP SP2, and the
truly huge number of compromised PC's that sit behind a NAT on a DSL or
cablemodem, it's pretty obvious that the presence of NAT is doing approximately
*zero* to actually slow down the miscreants.

140 million compromised PC's, most of them behind a NAT, can't be wrong. :)

Attachment: _bin
Description: