> You know of an O/S that is not vulnerable to malware attacks? Please let me know > the name, I haven't encountered one professionally since I was using OpenGenera > in '95 and that was only secure because we had a more or less complete list with > the names of every person who had ever successfully managed to learn the beast. Very few software products can be considered perfect. However, NAT and basic statefull firewalls only protect against a specific category of attacks, the arrival of unsolicited connection requests through the network. Most mainline operating systems have built-in protection against such attacks. Windows XP-SP2 and Windows Vista certainly do. They come with a built in firewall that will, by default, prevent incoming traffic on all ports. I understand that recent Linux distributions and recent versions of OS/X have similar protections. Attacking ports by sending random packets is very much a 2003 story. Modern malware typically works by exploiting users' naiveté, bugs in document parsers, or a combination of both. An example of user naiveté would be to ask users to download a special media player to look at frolicking bodies. An example of exploiting document parsers would be to lure users to visit a malevolent web site, and have they open a booby trapped image or movie. The typical NAT or stateful firewall offers no protection against document parsing bugs. That is a good thing. If firewalls tried to do that, they would have to incorporate a large amount of document parsing code, and would most probably become a target for their own parsing bugs. Of course, no amount of electronics will protect against users intent on downloading a very special media player... -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf