[134831] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (ML)
Wed Jan 12 09:52:43 2011
Date: Wed, 12 Jan 2011 09:52:39 -0500
From: ML <ml@kenweb.org>
To: nanog@nanog.org
In-Reply-To: <BLU0-SMTP110859506F1CE43A5E38007BBF10@phx.gbl>
Reply-To: ml@kenweb.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 3/21/2007 6:25 AM, Tarig Ahmed wrote:
> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
>
>
> Tarig Yassin Ahmed
>
>
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick@foobar.org> wrote:
>
>> On 21/03/2007 09:41, Tarig Ahmed wrote:
>>> Is it true that NAT can provide more security?
>>
>> No.
>>
>> Your security person is probably confusing NAT with firewalling, as
>> NAT devices will intrinsically do firewalling of various forms,
>> sometimes stateful, sometimes not. Stateful firewalling _may_ provide
>> more security in some situations for low bandwidth applications, at
>> least before you're hit by a DoS attack; for high bandwidth
>> applications, stateful firewalling is usually a complete waste of time.
>>
>> Your security guy will probably say that a private IP address will
>> give better protection because it's not reachable on the internet. But
>> the reality is if you have 1:1 NAT to a server port, then you have
>> reachability and his argument becomes substantially invalid. Most
>> security problems are going to be related to poor coding anyway (XSS,
>> improper data validation, etc), rather than port reachability, which
>> is easy to fix.
>>
>> Unfortunately, many security people from large organisations do not
>> appreciate these arguments, but instead write their own and other
>> peoples' opinions down and call them "policy". Changing policy can be
>> difficult.
>>
>> Nick
>>
>>
>
Tarig is sending email from the past. Spooky.
