On Tuesday, 2001-06-05 at 09:18 AST, "Cessna, Michael" <mcessna@prizes.com> wrote: > Since NAT hides the Internal IP address yet does not limit connections in any > way, shouldn't NAT be considered 'Security by Obfuscation'? The most commonly used form of NAT, namely PAT (aka IP masquerading) certainly does limit connections. It is basically outbound only. Let me repost a message I sent in February - some of the folks in this thread could use the homework: While there has been some good discussion in this thread, it has sometimes suffered by differing usage of terms. I distinguish 3 types of NAT (Cisco, for one, supports all of these): 1. Static NAT Each internal address is mapped in a fixed configuration to its own external address. ... However it is only rarely used - usually just for servers. Any inbound packet destined for external address Xn is mapped to internal address In and forwarded, regardless of the ports and source address. This could be implemented in a completely stateless NAT box. 2. Dynamic NAT Internal machines are unreachable until they attempt an external "connection". When they do, they are temporarily assigned an external address. As long as they keep sending to the outside, within some timeout specification, they own that address. Inbound packets destined to it will go to the internal machine; while this also could be stateless, but I suspect most NAT boxes require that "connections" be initiated by the inside machine before allowing the inbound traffic. This is not very commonly used either. 3. PAT (port address translation) Internal machines are unreachable until they attempt an external "connection". When they do, they are temporarily assigned a port on an external address (for tcp and udp). Only inbound packets with a source specification matching the destination of the original outbound traffic will be mapped and forwarded to the internal machine. This must be stateful. This method is by far the most commonly used. It does pretty thoroughly block inbound connections. This is what most of the folks, other than mouss, seem to be talking about in this thread. (I use the term "connection" in quotes, because while we really only have connections for tcp, the NAT box will typically simulate connections for other protocols such as udp and icmp echo.) And there are certainly other types of NAT in use which are some combination of those listed above. A typical example is where all inbound traffic to port 25 is statically mapped to a single internal address. This acts like static NAT for that particular port (while all the other traffic may be using PAT). It would be helpful if those discussing NAT make clear what type of translation they are intending. It usually makes a substantial difference. Tony Rall - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]