1) What's the difference between PAT and NAT?
PAT is port address translation and similar to Masquerading.
From what I have gathered so far, the terms are identical in meaning (perhaps the implementations differ).
Every connection from inside ist translatet to a port of (usually?) ONE external (real) IP address.
Yes, always one, PAT = n:1 NAT. You can put together several PATs for n:m NAT, or call it o-wise PAT or whatever. These terms are actually rather useless.
NAT (network address translation) translates IPs to IPs.
Yes, this is the general term. Note that PAT is also a form of NAT, since IP addresses are translated in the process.
If you have i.e. ten real IPs, you could allow ten connections. Every internal IP is translated to one external IP. You may translate Networks to other networks, i.e. 192.168.0.0/24 to 1.2.3.0/24 or so, which is not very common since you would need a lot of external addresses.
Well, this is n:n NAT, not simply NAT.
But with this method it's possible to connect such a machine from outside to a different port, which is impossible with simple PAT (but there are ways like ip_masq_ftp module)
There is also the ability to perform port forwarding, i.e. map one port on the hosts with the public IP address to a port on an inside machine. Note that NAT involving port translations quickly makes things very ugly and very complicated. I'd try to avoid it where possible. It's useful if you've got internal networks, but for DMZ networks, for example, I'd try to steer clear of NAT.
2) I'd like some more information about how secure is a (private-IP) intranet behind a router performing NAT/PAT or similar (which obviusly has got a real IP address). My personal thoughts are that if the NAT device isn't implementing any port forwarding to any internal machine, the said machine is safe. Correct?
Well, it's safe like behind a good firewall, yes.
No. It's as safe as it would be behind a dynamic (stateful) packet filter of the same level of intelligence, quality of implementation and rule base. No more, no less.
But there are still a lot of attack methods.
You can say that again.
The simplest form is an email worm. Viruses can still intrude with ftp/http transfers of course.
Generally, all attacks involving connections being made from the internal network are just as possible as they are without NAT/PAT/whateveryouwishtocallit. And some attacks are made possible by sloppy NAT implementations (recent UDP problems in IP Masquerading) or difficulties with protocols (check out FTP). In contrast to setups using packet filters, NAT boxes need to have traffic directed at them. This opens them up to attack, whereas if you have a simple packet filter, it should generally not need to be a valid destination for external hosts. This means you can prevent it from being targetted.
A trojaner can connect to some attacker (since it's an outgoing connection).
This depends on the rule base, of course, just like with conventional packet filters.
If you use unsecured protocols (i.e. telnet) it's possible to do session-highjacking; This may be dangerous.
It is also possible to hijack specifically masqueraded sessions, throw them out of sync, overflow the NAT tables, otherwise manipulate these, etc..
Other attacks like DNS spoof work,
DNS spoofing isn't a NAT-specific attack, though.
and last but not least the entire network is never more secured like the firewall itself; if the firewall get's hacked (by a buggy FTP or similar) you're lost ;) So do not run any services on the firewall, maybe ssh, but not more.
Good advice. However, as I said above, if you're running NAT, you've got to make that NAT device accessible from the outside directly, i.e. it will have to accept packets destined to itself, not just the network behind it. That opens up a new can of worms, which is often neglected.
So, the intranet would be safe for external attacks (supposing router access is not granted and its configuration is safe from hackers) without needing a fw or router-filters, isn't it?
Well, doing Masquerading is an (implicit) firewall filter rule telling: do not allow connections initiated from outside to inside, only from inside to outside is allowed (inside means the secured network).
Only if implemented that way. A lot of people masquerade inbound as well by mistake. Many don't implement anti-spoofing rules, don't block non-masqueraded routing, don't lock off the outside invalid destination ports on the masquerading machine, etc...
But that's not the maximum security of course.
No, hardly.
If you have one trojaned machine inside your network, your security is lost, since the machine is allowed to do anythink (connection to a outside attacker, steal data from inside and send it out and so on).
Correct. The point is: no single technology is the magic bullet and no technology by itself is secure. It's in the implementation of the technology an its application. Regards Tobias