On Monday 27 December 2010 18:14:25 Tom H wrote: > On Mon, Dec 27, 2010 at 12:41 PM, Joe Zeff <joe@xxxxxxx> wrote: > > On 12/27/2010 09:15 AM, Patrick O'Callaghan wrote: > >> Actually IIRC you have that the wrong way round. NAT was invented to > >> deal with address space exhaustion, and had the side-effect of hiding > >> machines behind the router. > > > > Before somebody steps in again to point out that NAT isn't a firewall, > > I'd like to give my perspective on it. If your router uses NAT and only > > forwards those ports you've told it to (and then, each port only goes to > > one machine) port scanners can't find your machines because nothing > > responds to their attempts to connect. Oh, but the scanner *will* get a response, that's the whole point of port- forwarding. A scanner sends out a bait, NAT forwards it to appropriate server, the server responds, NAT forwards the response back to the scanner. This way the scanner can find out about all your open ports on all servers behind your NAT, by scanning only one machine (the one facing the internet). This is actually an added benefit for the scanner, courtesy of NAT. :-) > > And, of course, even if you have > > malware trying to act as some sort of server it won't do any good unless > > your machine initiates the connection. If malware has infected one of your machines, it typically *will* initiate the connection (calling-home), and the NAT will do nothing to prevent communication in that case. > > No, this isn't a firewall, but > > it's better than having your box sitting on the net completely exposed. If you have a firewall (and you need one both with and without NAT), the machine is never completely exposed. NAT doesn't add any security beyond the firewall. > > Consider NAT as one layer of protection in a properly designed and > > implemented defense in depth. As I heard somewhere, NAT is usually compared to Japanese paperwall, defense- wise. IOW, zero protection. > NAT doesn't have anything to do with security. > > In your example above, what's the difference between scanning your NAT > box for open ports and having them forwarded by the NAT box to a box > on your internal network or scanning a publicly accessible box on your > internal network directly? > > The firewall's the only defense in both cases. Well, there is a slight difference, which makes NAT even *less* secure than the non-NAT solution. :-) Namely, in the case of having several servers with public IP's behind a firewall (ie. no NAT), the attacker needs to know the IP of each particular machine he wants to attack. However, in the case of having several servers with local IP's behind a NAT and a firewall (with appropriate port-forwarding to each server), the attacker needs to know *only* your single public IP, and he can successfully attack all of the servers behind a NAT through that one. So, the attacker has a (slightly) easier job if you do have NAT than if you don't. Other than that, there is absolutely no difference, and the firewall is the only true line of defense, as you remarked. Best, :-) Marko -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines