On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said: > In a client (rather than server) scenario, the picture is different. > Depending on the specific "NAT" technology in use, the firewall may be > incapable of selecting a target for unsolicited communications inbound > from the public Internet. In fact, it may be theoretically impossible > for it to do so. In those scenarios, the presence of NAT in the > equation makes a large class of direct attacks on the interior host > impractical, requiring the attacker to fall back on other methods like > attempting to breach the firewall itself or indirectly polluting the > responses to communication initiated by the internal host.
Note that the presence of a firewall with a 'default deny' rule for inbound packets provides the same level of impracticality. And given the fact that Windows has had a reasonably sane host-based firewall since XP SP2, and the truly huge number of compromised PC's that sit behind a NAT on a DSL or cablemodem, it's pretty obvious that the presence of NAT is doing approximately *zero* to actually slow down the miscreants. 140 million compromised PC's, most of them behind a NAT, can't be wrong. :)
pgpJ7nc3IAk1F.pgp
Description: PGP signature
