Re: Is NAT can provide some kind of protection?

Wed, 12 Jan 2011 12:14:04 -0800

Few home users have a stateful firewall configured and AFAIK none of the consumer models come with a good default set of rules much less a drop all unknown. For end users NAT is and will likely to continue to be the most significant and effective front line security they have. Home router manufacturers have very limited budgets for training or support for home end users so the approach is likely to remain the least expensive thing that produces the fewest inbound support calls. If the question is whether NAT was designed to be a security level then I agree your stance and I'd also agree that correctly configured firewalls do a better job at security. Where I disagree is your position that there is no extra security inherent in the default NAT behavior. Until someone makes an effort to create either a DMZ entry or starts doing port forwarding all (AFAIK) of the common routers will drop packets that they don't know where to forward them.
Is this a tenuous and accidental security level based on current defaults in cheap gear? Of course, but given how normal users behave until routers can automagically configure firewall settings in a safe (i.e. not UPNP) manner I don't see things changing. 

On 1/12/2011 2:57 PM, Owen DeLong wrote:

On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong<o...@delong.com>  wrote:


No, NAT doesn't provide additional security. The stateful inspection that
NAT cannot operate without provides the security. Take away the
address mangling and the stateful inspection still provides the same
level of security.


There is a least one situation where NAT *does* provide a small amount of
necessary security.

Try this at home, with/without NAT:

1. Buy a new PC with Windows installed
2. Install all security patches needed since the OS was installed

Without NAT, you're unpatched PC will get infected in less than 1 minute.


Wrong.

Repeat the experiment with stateful firewall with default inbound deny and no 
NAT.

Yep... Same results as NAT.

NAT != security. Stateful inspection = some security.

Next!!

Owen






--
Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000
--------------------------------
Looking for hand-selected news, views and
tips for independent broadband providers?

Follow us on Twitter! http://twitter.com/ZCorum
--------------------------------

























					Reply via email to