Sign in with
Sign up | Sign in
Your question

Why a software firewall?

Last response: in Networking
Share
Anonymous
a b 8 Security
July 8, 2004 9:31:27 AM

Archived from groups: comp.security.firewalls (More info?)

Forgive me if this question has come up before, but with SP2 on the horizon,
I understand there will be some security enhancements -- although there will
probably be no egress protection. Still, I'm sitting behind a Linksys
wireless router with a home network, run Ad-Aware, Spybot, PestControl,
SpywareBlaster, and Norton 2004 AV and I keep them and Windows XP up to
date. My wife and I are the only users of our two computers, and we practice
safe hex. [Okay we prefer Internet Explorer to Firefox so far] The two
computers each has a copy of ZoneAlarm, but I'm beginning to wonder just
what ZA or any other software firewall is adding to the protection of these
two machines.



Thanks for any comments,



Ma No

More about : software firewall

July 8, 2004 11:16:19 AM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Jul 2004 05:31:27 GMT, Ma No wrote:

>snip
> The two
> computers each has a copy of ZoneAlarm, but I'm beginning to wonder just
> what ZA or any other software firewall is adding to the protection of these
> two machines.
>
> Thanks for any comments,
>
> Ma No

It will provide you protection from 'outbound' connection attempts.

Regards

Bill
Anonymous
a b 8 Security
July 8, 2004 2:52:33 PM

Archived from groups: comp.security.firewalls (More info?)

"Ma No" <oneday@at.ime> wrote in message
news:p _4Hc.8720$R36.688@newsread2.news.pas.earthlink.net...
> Forgive me if this question has come up before, but with SP2 on the
horizon,
> I understand there will be some security enhancements -- although there
will
> probably be no egress protection. Still, I'm sitting behind a Linksys
> wireless router with a home network, run Ad-Aware, Spybot, PestControl,
> SpywareBlaster, and Norton 2004 AV and I keep them and Windows XP up to
> date. My wife and I are the only users of our two computers, and we
practice
> safe hex. [Okay we prefer Internet Explorer to Firefox so far] The two
> computers each has a copy of ZoneAlarm, but I'm beginning to wonder just
> what ZA or any other software firewall is adding to the protection of
these
> two machines.

My home network is up 24/7 and I only run a NAT router. Of course I use a
good AV program and I run Ad-aware or Spybot every few weeks or so. I've had
no problems and the network has been up for 3 years. Safe computing is your
best defense. Nothing against ZA but I haven't seen the need to consider it.
Related resources
Anonymous
a b 8 Security
July 8, 2004 3:12:40 PM

Archived from groups: comp.security.firewalls (More info?)

"Ma No" <oneday@at.ime> wrote in
news:p _4Hc.8720$R36.688@newsread2.news.pas.earthlink.net:

> Forgive me if this question has come up before, but with SP2 on the
> horizon, I understand there will be some security enhancements --
> although there will probably be no egress protection. Still, I'm
> sitting behind a Linksys wireless router with a home network, run
> Ad-Aware, Spybot, PestControl, SpywareBlaster, and Norton 2004 AV and
> I keep them and Windows XP up to date. My wife and I are the only
> users of our two computers, and we practice safe hex. [Okay we prefer
> Internet Explorer to Firefox so far] The two computers each has a copy
> of ZoneAlarm, but I'm beginning to wonder just what ZA or any other
> software firewall is adding to the protection of these two machines.
>
>
>
> Thanks for any comments,
>
>
>
> Ma No
>

It's not typical for a home user but a NAT router can be beaten. If the
machines are doing resource sharing, then ZA should be configured to only
allow traffic on the Windows networking ports from the router's assigned
IP(s). And ZA helps to protect the wireless machines from being attacked.
For the wireless router, a best practice is to only allow the router to
issue DHCP IP(s) for the number of machine you have connected to the
router.

I also like to implement IPsec behind the NAT router and the PFW
solution.

http://www.petri.co.il/block_ping_traffic_with_ipsec.ht...
http://www.analogx.com/contents/articles/ipsec.htm

Duane :) 
Anonymous
a b 8 Security
July 8, 2004 3:15:40 PM

Archived from groups: comp.security.firewalls (More info?)

"Ma No" <oneday@at.ime> wrote in
news:p _4Hc.8720$R36.688@newsread2.news.pas.earthlink.net:

> Forgive me if this question has come up before, but with SP2 on the
> horizon, I understand there will be some security enhancements --
> although there will probably be no egress protection. Still, I'm
> sitting behind a Linksys wireless router with a home network, run
> Ad-Aware, Spybot, PestControl, SpywareBlaster, and Norton 2004 AV and
> I keep them and Windows XP up to date. My wife and I are the only
> users of our two computers, and we practice safe hex. [Okay we prefer
> Internet Explorer to Firefox so far] The two computers each has a copy
> of ZoneAlarm, but I'm beginning to wonder just what ZA or any other
> software firewall is adding to the protection of these two machines.

Of course, the outbound protection.

If your wireless machines are laptops that are sometimes taken out of the
home, it seems an obvious need.

I have great faith in my Linksys router, but routers are not absolute
protection, and software firewall is a second layer of protection. The
router may also not function properly, such as the recent difficuties
with BEFSR41 that allowed any Internet user to access the router setup.

Even within the home, I suspect that WinXP is likely to have a flaw
(whether or not currently known) that might allow an attacker in near
proximity (such as next door or in a car in front of your house) to
connect directly to your wireless machine.

--
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc/PGP.htm
Anonymous
a b 8 Security
July 8, 2004 8:38:12 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Jul 2004 05:31:27 GMT, Ma No wrote:

>Forgive me if this question has come up before, but with SP2 on the horizon,
>I understand there will be some security enhancements -- although there will
>probably be no egress protection. Still, I'm sitting behind a Linksys
>wireless router with a home network, run Ad-Aware, Spybot, PestControl,
>SpywareBlaster, and Norton 2004 AV and I keep them and Windows XP up to
>date. My wife and I are the only users of our two computers, and we practice
>safe hex. [Okay we prefer Internet Explorer to Firefox so far] The two
>computers each has a copy of ZoneAlarm, but I'm beginning to wonder just
>what ZA or any other software firewall is adding to the protection of these
>two machines.

The main value of ZoneAlarm to you is probably to report when
something is wanting to go out and access the Internet from both your
computers, without your knowledge.
--

Chris
Anonymous
a b 8 Security
July 9, 2004 3:14:12 AM

Archived from groups: comp.security.firewalls (More info?)

I can't remember the details of each version of ZA but here goes some
thoughts anyway; ZA, or another PFW can provide:
- application sandboxing and/or execution prevention (& monitoring/logging)
- outbound (IP) traffic protection (ie denying it to happen)
- extra logging
- web filtering - quite a few nasty web page have nasty code which could
infect your machine from your web browsing.

As you're running a wireless network behind the router, someone in proximity
could go direct to your machines, so running a local/personal firewall is
definitely good practice (and having the relevant rules in place). Better
yet, if you can be bothered, setup IPSec or other VPN for your wireless
network (or run one of the more recent 802.11x wireless standards instead of
"b").
HTH

"Ma No" <oneday@at.ime> wrote in message
news:p _4Hc.8720$R36.688@newsread2.news.pas.earthlink.net...
> Forgive me if this question has come up before, but with SP2 on the
horizon,
> I understand there will be some security enhancements -- although there
will
> probably be no egress protection. Still, I'm sitting behind a Linksys
> wireless router with a home network, run Ad-Aware, Spybot, PestControl,
> SpywareBlaster, and Norton 2004 AV and I keep them and Windows XP up to
> date. My wife and I are the only users of our two computers, and we
practice
> safe hex. [Okay we prefer Internet Explorer to Firefox so far] The two
> computers each has a copy of ZoneAlarm, but I'm beginning to wonder just
> what ZA or any other software firewall is adding to the protection of
these
> two machines.
>
>
>
> Thanks for any comments,
>
>
>
> Ma No
>
>
>
>
Anonymous
a b 8 Security
July 9, 2004 9:01:51 AM

Archived from groups: comp.security.firewalls (More info?)

>> It's not typical for a home user but a NAT router can be beaten.

Duane:

How so?

TIA
Anonymous
a b 8 Security
July 9, 2004 2:24:19 PM

Archived from groups: comp.security.firewalls (More info?)

"CZ" <CZ@no99spam.com> wrote in news:3FpHc.820$hA3.480
@newssvr22.news.prodigy.com:

>>> It's not typical for a home user but a NAT router can be beaten.
>
> Duane:
>
> How so?
>
> TIA
>
>
>

There was a post in this NG about a Watch Guard article on *Busting the
NAT Myth* which I replied to the post. I got that email from WG too, but
I can not post the content of the email due to proprietary reasons.

So if you search for my name in the history, you may be able to locate on
that thread and the reply post I made. A NAT router can be attacked and
beaten by *hackers* and they do go after them. This post was made two to
four weeks ago so the thread should be there.

Duane :) 
July 9, 2004 3:26:05 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:

>>> It's not typical for a home user but a NAT router can be beaten.
>
> Duane:
>
> How so?
>
> TIA

This is probably the article that Duane is pointing you to:
http://snipurl.com/7mq3

Regards

Bill
Anonymous
a b 8 Security
July 9, 2004 5:02:32 PM

Archived from groups: comp.security.firewalls (More info?)

"phoenix" <phoenix@fakeaddress.invalid> wrote in message
news:10hq3a0wv3gw6$.dlg@phoenix-systems.uk.com...
> On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:
>
> >>> It's not typical for a home user but a NAT router can be beaten.
> >
> > Duane:
> >
> > How so?
> >
> > TIA
>
> This is probably the article that Duane is pointing you to:
> http://snipurl.com/7mq3
>
> Regards
>
> Bill

hmmmmm....

I don't know why this article was written but it makes some assumptions of
NAT devices that, at least in my case, just aren't true. I have my NAT
router setup so that it will not respond to a ping. It will not allow remote
operation. It is not in the DMZ mode. All ports are in stealth mode. I do
not run anyother firewalls, and my network is up 24/7 without issue. If you
feel that you need extra protection then go for it but I don't.
Anonymous
a b 8 Security
July 9, 2004 7:01:11 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 11:26:05 +0000, phoenix wrote:

> On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:
>
>>>> It's not typical for a home user but a NAT router can be beaten.
>>
>> Duane:
>>
>> How so?
>>
>> TIA
>
> This is probably the article that Duane is pointing you to:
> http://snipurl.com/7mq3
>
> Regards
>
> Bill

FUD created by a firewall manufacturer.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
July 9, 2004 8:37:20 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 15:01:11 +0100, Nigel Wade wrote:

> On Fri, 09 Jul 2004 11:26:05 +0000, phoenix wrote:
>
>> On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:
>>
>>>>> It's not typical for a home user but a NAT router can be beaten.
>>>
>>> Duane:
>>>
>>> How so?
>>>
>>> TIA
>>
>> This is probably the article that Duane is pointing you to:
>> http://snipurl.com/7mq3
>>
>> Regards
>>
>> Bill
>
> FUD created by a firewall manufacturer.

Maybe. Is NAT impregnable then?

Regards

Bill
July 10, 2004 12:32:42 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 9 Jul 2004 13:02:32 -0400, jch wrote:

> "phoenix" <phoenix@fakeaddress.invalid> wrote in message
> news:10hq3a0wv3gw6$.dlg@phoenix-systems.uk.com...
>> On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:
>>
>>>>> It's not typical for a home user but a NAT router can be beaten.
>>>
>>> Duane:
>>>
>>> How so?
>>>
>>> TIA
>>
>> This is probably the article that Duane is pointing you to:
>> http://snipurl.com/7mq3
>>
>> Regards
>>
>> Bill
>
> hmmmmm....
>
> I don't know why this article was written but it makes some assumptions of
> NAT devices that, at least in my case, just aren't true. I have my NAT
> router setup so that it will not respond to a ping. It will not allow remote
> operation. It is not in the DMZ mode. All ports are in stealth mode. I do
> not run anyother firewalls, and my network is up 24/7 without issue. If you
> feel that you need extra protection then go for it but I don't.

hmmmmm......

You seem to be making assumptions that I agree with the article. I was
merely pointing the questioner to what I *think* was the article that Duane
was referring to, it was to save the poster wading through the news group.

BTW, my network is also behind a NAT router and has been for the last four
years, it is also on 24/7 and not had any problems.

Regards

Bill
Anonymous
a b 8 Security
July 10, 2004 12:40:45 AM

Archived from groups: comp.security.firewalls (More info?)

Re: article about NAT being insecure:
http://www.webservertalk.com/message264707.html

Duane:

Quotes are from the article:

"Since NAT is designed to do the best it can to allow traffic in, any
security benefits it provides are mere side-effects."

Wrong: One-to-many NAT/PAT is designed to drop unsolicited inbound traffic,
and this provides significant security.

"Exploiting open ports. For port-based NAT, once a NAT device opens a port
by putting it in the NAT table, all traffic destined to that port is
allowed through to the local computer identified in the table."

Incomplete: For TCP, hacker must also use the correct sequence number, or
the inside computer should reject it with a RST ACK response packet.

"Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
with sufficient technical knowledge, using hacking tools freely available
on the Internet, can put another user's IP address in the "From" (source)
field of packets. Since NAT relies on analyzing addresses, false
addresses compromise NAT devices easily"

Incomplete: Hacker's packet must survive the port table match, and there is
the sequence number issue.
Note that XP's ICF firewall will stop source address spoofing.

"Default remote access. Many NAT devices leave a port open to the public
Internet, to allow remote administration. The port is protected by a
password."

Some may, but many? And, all you have to do is close the port via s/w
setting or a f/w rule, and change the password.

"NAT devices were not designed to be true security devices, so they have a
weak security stance. For example, a hacker can send an "anybody there?"
message, called a ping, to millions of addresses. Firewalls recognize
ping and hide themselves. NAT devices respond, letting the hacker know
he's found a live connection. NAT devices don't do any egress filtering,
either. So clearly, a NAT device is not a full security solution."

Quality end user NAT-routers should have firewall rules to handle this. My
Netgear is full stealth on the WAN port, including not responding to ICMP
packets.

"Don't get us wrong. We like NAT."

Then try to be more objective about all of the functions "normally"
available in a NAT/PAT device.

"Authenticating connections. A NAT device checks only the source IP
address, destination IP address, and related port numbers to decide if
traffic is valid. A real firewall goes further. In addition to IP address
and port information, the firewall also checks, for example, the sequence
number of the packet for duplicates or out-of-bound values (hackers try
to recycle an existing packet header with different data inside). Other
firewall verification steps include user authentication, packet content
inspection (e.g., does this HTTP packet really contain HTTP
information?), and checking the IPs against black-listed sites."

So, now we are discussing circuit level gateway and application level
filtering. True, NAT does not do it and most end users/SOHO will not pay
for it (MS's ISA does it for about $1,500 US for the software only)

"Controlling outbound traffic. Any defense offered by a NAT device deals
only with inbound connections. Firewalls offer egress filtering -- the
ability to close outgoing connections."

My inexpensive Netgear RT314 NAT-router has very strong f/w rules for egress
& ingress filtering on both the LAN port and on the WAN port.

Duane:
IMO, that is a very biased, misleading, and useless article overall.
NAT/PAT by itself provides a usable/practical type of protection (though you
should have more than just NAT).
It is very self-serving to discuss NAT by itself, and to not also discuss
other security features that may be available in the device.

BTW, SysLog via the WAN port of my Netgear RT314 recorded about 1,000 hits
in 6 hrs several days ago.
Most were pings. All were dropped (no response sent). LinkSys products may
have problems doing this (I avoid LinkSys routers).
Anonymous
a b 8 Security
July 10, 2004 12:44:31 AM

Archived from groups: comp.security.firewalls (More info?)

>> Is NAT impregnable then?

phoenix:

IMO, any technology has the possibility of being compromised.

I think you are far more likely to be compromised via active content in web
pages/email than you are via "holes" in NAT.
Anonymous
a b 8 Security
July 10, 2004 12:50:42 AM

Archived from groups: comp.security.firewalls (More info?)

>> BTW, my network is also behind a NAT router and has been for the last
four
years, it is also on 24/7 and not had any problems.

Bill:

Same is true for my setup.

What the article does not mention, is the amount of knowledge, experience,
patience, cussing, etc. that occurs when you use a multilayer
firewall/cache/proxy server product like MS's ISA.

BTW, I prefer to run the ISA server behind a standalone NAT-router <G>
July 10, 2004 1:09:34 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 20:50:42 GMT, CZ wrote:

>>> BTW, my network is also behind a NAT router and has been for the last
> four
> years, it is also on 24/7 and not had any problems.
>
> Bill:
>
> Same is true for my setup.
>
> What the article does not mention, is the amount of knowledge, experience,
> patience, cussing, etc. that occurs when you use a multilayer
> firewall/cache/proxy server product like MS's ISA.

Yes, as I've recently found out.
>
> BTW, I prefer to run the ISA server behind a standalone NAT-router <G>

Me too. :-)

Regards

Bill
July 10, 2004 1:10:50 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 20:44:31 GMT, CZ wrote:

>>> Is NAT impregnable then?
>
> phoenix:
>
> IMO, any technology has the possibility of being compromised.
>
> I think you are far more likely to be compromised via active content in web
> pages/email than you are via "holes" in NAT.

Yes, I would agree with both of those statements. I was really just
dropping some 'bait' to see if we could get a more expansive response.

Regards

Bill
Anonymous
a b 8 Security
July 10, 2004 1:43:04 AM

Archived from groups: comp.security.firewalls (More info?)

> BTW, I prefer to run the ISA server behind a standalone NAT-router <G>

Me too. :-)

Bill:

Makes you appreciate those simple, but effective NAT-routers!
Anonymous
a b 8 Security
July 10, 2004 3:40:55 AM

Archived from groups: comp.security.firewalls (More info?)

"CZ" <CZ@no99spam.com> wrote in news:IjEHc.935$Mi7.769
@newssvr22.news.prodigy.com:

>> BTW, I prefer to run the ISA server behind a standalone NAT-router <G>
>
> Me too. :-)
>
> Bill:
>
> Makes you appreciate those simple, but effective NAT-routers!
>
>
>

I have certainly seen a couple probes come through the Linksys router at
port 1434 SQL server like the NAT router was not even there. The port was
not being forwarded either. BlackIce didn't react on the desktop or
laptop for no reason and reported the events with the desktop that is on
24/7 and the laptop that was on 24/7 at the time both having SQL Server
running. I have also seen at least on other person report on a probe
coming past the NAT router.

Duane :) 
Anonymous
a b 8 Security
July 10, 2004 5:06:49 AM

Archived from groups: comp.security.firewalls (More info?)

>> I have certainly seen a couple probes come through the Linksys router at
port 1434 SQL server like the NAT router was not even there.

Duane:

That is why I avoid LinkSys routers!! <G>
Anonymous
a b 8 Security
July 10, 2004 5:32:04 PM

Archived from groups: comp.security.firewalls (More info?)

The bottom line here is that I don't trust the NAT router and that's why I
have a WG sitting there in stead of a NAT router -- any NAT router.

Duane :) 
Anonymous
a b 8 Security
July 11, 2004 4:42:52 AM

Archived from groups: comp.security.firewalls (More info?)

Duane:

>> I have certainly seen a couple probes come through the Linksys router at
port 1434 SQL server like the NAT router was not even there. The port was
not being forwarded either. BlackIce didn't react on the desktop or
laptop for no reason and reported the events with the desktop that is on
24/7 and the laptop that was on 24/7 at the time both having SQL Server
running. I have also seen at least on other person report on a probe
coming past the NAT router.

But you had a LinkSys router, and possibly the other user may have had one.
IMO, there are better quality end-user NAT-routers than LinkSys. So, we can
say that the NAT on a LinkSys router passed an outside initiated packet. My
Netgear NAT-router has been on 24x7 for a number of years, and BID has never
recorded a passed packet. Other setups that I have monitored have never
passed a packet that I know of.
I would "blame" LinkSys, and not NAT.

>> The bottom line here is that I don't trust the NAT router and that's why
I
have a WG sitting there in stead of a NAT router -- any NAT router.

Both the Firebox X500 and Firebox X700 have a NAT.
Anonymous
a b 8 Security
July 11, 2004 5:19:17 AM

Archived from groups: comp.security.firewalls (More info?)

"CZ" <CZ@no99spam.com> wrote in message
news:g20Ic.1262$gz6.1035@newssvr22.news.prodigy.com...
> Duane:
>
> >> I have certainly seen a couple probes come through the Linksys router
at
> port 1434 SQL server like the NAT router was not even there. The port was
> not being forwarded either. BlackIce didn't react on the desktop or
> laptop for no reason and reported the events with the desktop that is on
> 24/7 and the laptop that was on 24/7 at the time both having SQL Server
> running. I have also seen at least on other person report on a probe
> coming past the NAT router.
>
> But you had a LinkSys router, and possibly the other user may have had
one.

No, the other user had a Netgear. :) 

> IMO, there are better quality end-user NAT-routers than LinkSys. So, we
can
> say that the NAT on a LinkSys router passed an outside initiated packet.
My
> Netgear NAT-router has been on 24x7 for a number of years, and BID has
never
> recorded a passed packet. Other setups that I have monitored have never
> passed a packet that I know of.
> I would "blame" LinkSys, and not NAT.

I still use the Linksys as wireless/wire switch.

>
> >> The bottom line here is that I don't trust the NAT router and that's
why
> I
> have a WG sitting there in stead of a NAT router -- any NAT router.
>
> Both the Firebox X500 and Firebox X700 have a NAT.

The WG(s) have a true FW too. I'll put it to you this way. I don't trust
any low-end NAT router.

Duane :) 
Anonymous
a b 8 Security
July 11, 2004 8:54:08 AM

Archived from groups: comp.security.firewalls (More info?)

On Sun, 11 Jul 2004 00:42:52 GMT, "CZ" <CZ@no99spam.com> wrote:

>Duane:
>
>>> I have certainly seen a couple probes come through the Linksys router at
>port 1434 SQL server like the NAT router was not even there. The port was
>not being forwarded either. BlackIce didn't react on the desktop or
>laptop for no reason and reported the events with the desktop that is on
>24/7 and the laptop that was on 24/7 at the time both having SQL Server
>running. I have also seen at least on other person report on a probe
>coming past the NAT router.
>
>But you had a LinkSys router, and possibly the other user may have had one.
>IMO, there are better quality end-user NAT-routers than LinkSys. So, we can
>say that the NAT on a LinkSys router passed an outside initiated packet. My
>Netgear NAT-router has been on 24x7 for a number of years, and BID has never
>recorded a passed packet. Other setups that I have monitored have never
>passed a packet that I know of.
>I would "blame" LinkSys, and not NAT.

I never saw that problem with a Linksys BEFSR41. And I hadn't yet
forwarded the MS-SQL ports during the heyday of SQL attacks.

--
APPEAL, v.t. In law, to put the dice into the box for another throw.

- Ambrose Bierce
Anonymous
a b 8 Security
July 14, 2004 3:25:34 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Jul 2004 16:37:20 +0000, phoenix wrote:

> On Fri, 09 Jul 2004 15:01:11 +0100, Nigel Wade wrote:
>
>> On Fri, 09 Jul 2004 11:26:05 +0000, phoenix wrote:
>>
>>> On Fri, 09 Jul 2004 05:01:51 GMT, CZ wrote:
>>>
>>>>>> It's not typical for a home user but a NAT router can be beaten.
>>>>
>>>> Duane:
>>>>
>>>> How so?
>>>>
>>>> TIA
>>>
>>> This is probably the article that Duane is pointing you to:
>>> http://snipurl.com/7mq3
>>>
>>> Regards
>>>
>>> Bill
>>
>> FUD created by a firewall manufacturer.
>
> Maybe. Is NAT impregnable then?
>

No. I didn't say it was. My comment was on the article, not on NAT.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
!