* systemx@madmail.com wrote on Mon, Oct 16, 2000 at 10:15 +0200:
On Tue, 10 Oct 2000 20:47:54 +0800, you wrote: 1) What's the difference between PAT and NAT?
PAT is port address translation and similar to Masquerading. Every connection from inside ist translatet to a port of (usually?) ONE external (real) IP address. NAT (network address translation) translates IPs to IPs. If you have i.e. ten real IPs, you could allow ten connections. Every internal IP is translated to one external IP. You may translate Networks to other networks, i.e. 192.168.0.0/24 to 1.2.3.0/24 or so, which is not very common since you would need a lot of external addresses. But with this method it's possible to connect such a machine from outside to a different port, which is impossible with simple PAT (but there are ways like ip_masq_ftp module)
2) I'd like some more information about how secure is a (private-IP) intranet behind a router performing NAT/PAT or similar (which obviusly has got a real IP address). My personal thoughts are that if the NAT device isn't implementing any port forwarding to any internal machine, the said machine is safe. Correct?
Well, it's safe like behind a good firewall, yes. But there are still a lot of attack methods. The simplest form is an email worm. Viruses can still intrude with ftp/http transfers of course. A trojaner can connect to some attacker (since it's an outgoing connection). If you use unsecured protocols (i.e. telnet) it's possible to do session-highjacking; This may be dangerous. Other attacks like DNS spoof work, and last but not least the entire network is never more secured like the firewall itself; if the firewall get's hacked (by a buggy FTP or similar) you're lost ;) So do not run any services on the firewall, maybe ssh, but not more.
So, the intranet would be safe for external attacks (supposing router access is not granted and its configuration is safe from hackers) without needing a fw or router-filters, isn't it?
Well, doing Masquerading is an (implicit) firewall filter rule telling: do not allow connections initiated from outside to inside, only from inside to outside is allowed (inside means the secured network). But that's not the maximum security of course. If you have one trojaned machine inside your network, your security is lost, since the machine is allowed to do anythink (connection to a outside attacker, steal data from inside and send it out and so on). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.