NAT router info please
in [Firewalls]
|
From: shrill chris on 12 Aug 2010 08:51 Need an idiot's guide to NAT routers. I've having a discussion with someone about NATs and PFWs. I'm technical but need to check a few basics. TIA. -- Help destroy A C F for its own good.
From: Ansgar -59cobalt- Wiechers on 12 Aug 2010 11:31 za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: > On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote: > | NAT is not a security feature > > Why? Because it wasn't designed (nor intended) to be one. NAT is a feature to *enable* communication between private and public networks. The purpose of network security measures is to *restrict* communication between networks. These are fundamentally different concepts. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: za kAT on 12 Aug 2010 12:06 On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote: > za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: >> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote: >>| NAT is not a security feature >> >> Why? > > Because it wasn't designed (nor intended) to be one. > NAT is a feature to > *enable* communication between private and public networks. I thought that was IP masquerading. NAT just seems to be a way negating the need to update routing tables beyond the routers external interface to reflect what networks are behind the NAT router. > The purpose > of network security measures is to *restrict* communication between > networks. These are fundamentally different concepts. It does restrict communication inbound. -- zakAT(a)pooh.the.cat - Sergeant Tech-Com, DN38416. Assigned to protect you. You've been targeted for denigration!
From: Ansgar -59cobalt- Wiechers on 12 Aug 2010 12:44 za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: > On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote: >> za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: >>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote: >>>| NAT is not a security feature >>> >>> Why? >> >> Because it wasn't designed (nor intended) to be one. > >> NAT is a feature to *enable* communication between private and public >> networks. > > I thought that was IP masquerading. IP masquerading (or port address translation, PAT) is the most commonly used subset of NAT nowadays. It's correct that NAT is not limited to remapping private to public addresses and vice versa, but even though, it's still a technology invented to enable rather than restrict communication. >> The purpose of network security measures is to *restrict* >> communication between networks. These are fundamentally different >> concepts. > > It does restrict communication inbound. Not necessarily. Which is exactly the problem. Besides, what's atually restricting inbound communication in case of private addresses is the convention that private IP addresses must not be routed over public networks. The NAT device itself doesn't have much to do with it. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: za kAT on 12 Aug 2010 13:14 On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote: > za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: >> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote: >>> za kAT <zakAT(a)super-secret-ipaddress.invalid> wrote: >>>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote: >>>>| NAT is not a security feature >>>> >>>> Why? >>> >>> Because it wasn't designed (nor intended) to be one. >> >>> NAT is a feature to *enable* communication between private and public >>> networks. >> >> I thought that was IP masquerading. > > IP masquerading (or port address translation, PAT) is the most commonly > used subset of NAT nowadays. That's interesting, because I'd always understood IP masquerading to be the act of 'hiding' many addresses behind another. Not another name for PAT. It's an idea, not a physical act. Maybe I'm wrong, I couldn't quickly find a good definition. Whereas NAT, which you rightly point out as usually meaning PAT/NAPT is a physical act. Maybe you're right, I dunno, but true NAT[1:1] still hides an address. > It's correct that NAT is not limited to > remapping private to public addresses and vice versa, but even though, > it's still a technology invented to enable rather than restrict > communication. Yeah but, a hammer was designed to knock nails in, but it can still be an offensive weapon. >>> The purpose of network security measures is to *restrict* >>> communication between networks. These are fundamentally different >>> concepts. >> >> It does restrict communication inbound. > > Not necessarily. Which is exactly the problem. I assume you are referring to it's inability to really tackle solicited outbound wrt malware. I still don't see it as a problem, just part of a simple solution, when paired with an AV suite. > Besides, what's atually > restricting inbound communication in case of private addresses is the > convention that private IP addresses must not be routed over public > networks. The NAT device itself doesn't have much to do with it. Partly, but also the lack of a mapping in the state table means unsolicited inbound is dropped. -- zakAT(a)pooh.the.cat - Sergeant Tech-Com, DN38416. Assigned to protect you. You've been targeted for denigration!
|
Next
|
Last
Pages: 1 2 Prev: Poke a hole in a Kerio firewall to let Win2K see Win 7 Next: Verizon Droid Hotspot |