From: Regis on
za kAT <zakAT(a)super-secret-IPaddress.invalid> writes:

> Partly, but also the lack of a mapping in the state table means unsolicited
> inbound is dropped.

Not to mention that as implemented, home routers these days are far
from being just routers that implement NAT. They also act as a switch
as well as a stateful packet inspection firewall.

So, feel free to take Ansgar's rant about "NAT isn't a security
feature" as true, but a bit of an anachronistic rant of pedantry in
this context.

It's true, NAT doesn't secure anything in and of itself, but that's a
bit academic in the face of real implementations that are on the
market. Home routers are actually not all that awful for how much
functionality they pack into one box. URL filtering, http proxying
and having some easy way to have them limit outbound connections
intelligently would be a nice to have as would IDS/IPS, but the lack
of such goodies doesn't make them quite as worthless to me as Ansgar
seems to feel.


So, to the OP, what was the argument about that makes you want to
learn more about what you were arguing about?

From: Ansgar -59cobalt- Wiechers on
za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote:
> On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:
>> za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote:
>>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
>>>> NAT is a feature to *enable* communication between private and
>>>> public networks.
>>>
>>> I thought that was IP masquerading.
>>
>> IP masquerading (or port address translation, PAT) is the most
>> commonly used subset of NAT nowadays.
>
> That's interesting, because I'd always understood IP masquerading to
> be the act of 'hiding' many addresses behind another. Not another name
> for PAT. It's an idea, not a physical act. Maybe I'm wrong

Yes.

[...]
>>>> The purpose of network security measures is to *restrict*
>>>> communication between networks. These are fundamentally different
>>>> concepts.
>>>
>>> It does restrict communication inbound.
>>
>> Not necessarily. Which is exactly the problem.
>
> I assume you are referring to it's inability to really tackle
> solicited outbound wrt malware.

No, that's a whole different can of worms. I'm referring to the problem
that any NAT implementation needs to make (more or less educated)
guesses about which inbound packet really relates to an established
outbound communication. Think about DNS requests for instance.

> I still don't see it as a problem, just part of a simple solution,
> when paired with an AV suite.

I like simple solution when they're reliable. NAT as a security feature,
however, isn't. Not to mention that any AV suite is as far from "simple
solution" as it gets.

>> Besides, what's atually restricting inbound communication in case of
>> private addresses is the convention that private IP addresses must
>> not be routed over public networks. The NAT device itself doesn't
>> have much to do with it.
>
> Partly, but also the lack of a mapping in the state table means
> unsolicited inbound is dropped.

See above.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
From: Ansgar -59cobalt- Wiechers on
Regis <ordsec(a)gmail.org> wrote:
> za kAT <zakAT(a)super-secret-IPaddress.invalid> writes:
>> Partly, but also the lack of a mapping in the state table means
>> unsolicited inbound is dropped.
>
> Not to mention that as implemented, home routers these days are far
> from being just routers that implement NAT. They also act as a switch
> as well as a stateful packet inspection firewall.
>
> So, feel free to take Ansgar's rant about "NAT isn't a security
> feature" as true, but a bit of an anachronistic rant of pedantry in
> this context.

Not really, because on those devices the security is provided by the
packet filtering mechanism, not by the NAT implementation. That is a
fundamental difference, even if both mechanisms are implemented on the
same device.

To make reasonable decisions security-wise, one needs to understand what
a technology can and cannot do. I do not believe in confusing people by
mixing up distinct technologies.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
From: David H. Lipman on
From: "shrill chris" <plusnet(a)chris.millbank>

| Need an idiot's guide to NAT routers. I've having a discussion with
| someone about NATs and PFWs. I'm technical but need to check a few
| basics. TIA.

Please ask in a networking group.
It is OT for; alt.comp.freeware & alt.privacy



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp