[134828] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Tarig Ahmed)
Wed Jan 12 09:22:42 2011
From: Tarig Ahmed <tariq198487@hotmail.com>
To: Nick Hilliard <nick@foobar.org>
In-Reply-To: <4D2DB3BA.90308@foobar.org>
Date: Wed, 21 Mar 2007 13:25:58 +0300
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In fact our firewall is stateful.
This is why I thought, we no need to Nat at least our servers.
Tarig Yassin Ahmed
On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick@foobar.org> wrote:
> On 21/03/2007 09:41, Tarig Ahmed wrote:
>> Is it true that NAT can provide more security?
>
> No.
>
> Your security person is probably confusing NAT with firewalling, as
> NAT devices will intrinsically do firewalling of various forms,
> sometimes stateful, sometimes not. Stateful firewalling _may_
> provide more security in some situations for low bandwidth
> applications, at least before you're hit by a DoS attack; for high
> bandwidth applications, stateful firewalling is usually a complete
> waste of time.
>
> Your security guy will probably say that a private IP address will
> give better protection because it's not reachable on the internet.
> But the reality is if you have 1:1 NAT to a server port, then you
> have reachability and his argument becomes substantially invalid.
> Most security problems are going to be related to poor coding anyway
> (XSS, improper data validation, etc), rather than port reachability,
> which is easy to fix.
>
> Unfortunately, many security people from large organisations do not
> appreciate these arguments, but instead write their own and other
> peoples' opinions down and call them "policy". Changing policy can
> be difficult.
>
> Nick
>
>
