Volker Birk <bumens@dingens.org> writes:
> Leythos <void@nowhere.lan> wrote:
> > the NAT device will protect
> > the user regardless of the settings in the Windows Firewall
>
> The Windows-Firewall will protect the user regardless of the settings
> of the NAT device. So what?

Harder to crash, harder to disable, something separate to have to
disable. Security in depth.

> And the user is managing the NAT router, too. So what?

A vast majority of users are set and forget types, and if there's no
easy way to get at it, it won't ever BE disabled.

> If the computer of the user is compromized already, _every_ "Firewall"
> is useless now. Also a NAT router cannot protect a PC, which is
> compromized already.

To borrow your type of discussing, let me say:
This is nonsense.

A NAT router certainly can protect a compromised PC. Consider the
common case of malware opening a listener as a back door. It's
awfully hard to connect to that listener if there's an added layer of
firewalling that prevents a remote attacker from seeing past the
router to get to the listening back door.

More sophisticated malware, or course does exist whereby an active
outbound connection is made to join a botnet, or make another remote
control connection. However, to say that a NAT router cannot ever
protect a compromised PC is indeed nonsense.

The value of multi-layer protection or defense in depth is
lost on you.

The whole point of this discussion is that various classes of threats
are mitigated by each tool, and both software and hardware firewalls
are a prudent complimentary solution as part of a protection
strategy.

Best Regards,
--
Todd H.
http://www.toddh.net/