NAT router info please

NAT is not a security feature and PFWs are crap. What else do you need to know?

cu

59cobalt

what? Pro Football Weekly (sometimes shortened to PFW)?!

"Routers" can provide port forwarding (independently of NAT).

If you are not running a server, NAT provides minimum security by hiding your computers Internal addresses.

| What else do you need to know?

| NAT is not a security feature

Why?

Because it wasn't designed (nor intended) to be one. NAT is a feature to

*enable* communication between private and public networks. The purpose of network security measures is to *restrict* communication between networks. These are fundamentally different concepts.

cu

59cobalt

I thought that was IP masquerading.

NAT just seems to be a way negating the need to update routing tables beyond the routers external interface to reflect what networks are behind the NAT router.

It does restrict communication inbound.

Go away sonny. I didn't make the original post.

It's no wonder everyone take the piss out of you.

IP masquerading (or port address translation, PAT) is the most commonly used subset of NAT nowadays. It's correct that NAT is not limited to remapping private to public addresses and vice versa, but even though, it's still a technology invented to enable rather than restrict communication.

Not necessarily. Which is exactly the problem. Besides, what's atually restricting inbound communication in case of private addresses is the convention that private IP addresses must not be routed over public networks. The NAT device itself doesn't have much to do with it.

cu

59cobalt

That's interesting, because I'd always understood IP masquerading to be the act of 'hiding' many addresses behind another. Not another name for PAT. It's an idea, not a physical act. Maybe I'm wrong, I couldn't quickly find a good definition.

Whereas NAT, which you rightly point out as usually meaning PAT/NAPT is a physical act. Maybe you're right, I dunno, but true NAT[1:1] still hides an address.

Yeah but, a hammer was designed to knock nails in, but it can still be an offensive weapon.

I assume you are referring to it's inability to really tackle solicited outbound wrt malware. I still don't see it as a problem, just part of a simple solution, when paired with an AV suite.

Partly, but also the lack of a mapping in the state table means unsolicited inbound is dropped.

Yes.

[...]

No, that's a whole different can of worms. I'm referring to the problem that any NAT implementation needs to make (more or less educated) guesses about which inbound packet really relates to an established outbound communication. Think about DNS requests for instance.

I like simple solution when they're reliable. NAT as a security feature, however, isn't. Not to mention that any AV suite is as far from "simple solution" as it gets.

See above.

cu

59cobalt

Not to mention that as implemented, home routers these days are far from being just routers that implement NAT. They also act as a switch as well as a stateful packet inspection firewall.

So, feel free to take Ansgar's rant about "NAT isn't a security feature" as true, but a bit of an anachronistic rant of pedantry in this context.

It's true, NAT doesn't secure anything in and of itself, but that's a bit academic in the face of real implementations that are on the market. Home routers are actually not all that awful for how much functionality they pack into one box. URL filtering, http proxying and having some easy way to have them limit outbound connections intelligently would be a nice to have as would IDS/IPS, but the lack of such goodies doesn't make them quite as worthless to me as Ansgar seems to feel.

So, to the OP, what was the argument about that makes you want to learn more about what you were arguing about?

Not really, because on those devices the security is provided by the packet filtering mechanism, not by the NAT implementation. That is a fundamental difference, even if both mechanisms are implemented on the same device.

To make reasonable decisions security-wise, one needs to understand what a technology can and cannot do. I do not believe in confusing people by mixing up distinct technologies.

cu

59cobalt

From: "shrill chris"

| Need an idiot's guide to NAT routers. I've having a discussion with | someone about NATs and PFWs. I'm technical but need to check a few | basics. TIA.

Please ask in a networking group. It is OT for; alt.comp.freeware & alt.privacy

OK, found the answer now. IP masquerading is a slightly different PAT service to SNAT. One for dynamic, the other for static external interfaces.

Well I guess it doesn't know. It just knows it sent a UDP packet out on port XXX, and what it receives back on that port it considers to be the reply. It can probably make simple guesses, like anything for destination port 53 will not be expecting a large reply, and there must be a timeout.

It can't take the packet apart, and examine it like a proxy.

It seems to me though that nothing can come in until a connection is made out. The port it goes out on /should/ be fairly random, and with a timeout it only gives small windows of opportunity.

Aw! come on. My AV just wor(*^(^&)^(&%(%....

Kitty,I got a private email from a Native American who wants to take on BB? Want to join our alliance? Habby Gabby

za kAT wrote, regarding NAT:

You're fairly seriously ramping up the complexity there. In order to change the source port number you either need to inspect the protocol flow or make the originator application aware it's behind a NAT device. (Think FTP's "PORT" command, or anything to do with SIP.)

And it's not possible to avoid changing the source port number, as the device is handling a 1:N relationship (think of two internal devices, both originating traffic on, say, port 12345).

NAT is a botch. A mostly-effective one, agreed. But a botch nevertheless. Chris