[134833] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Lor=E1nd_Jakab?=)
Wed Jan 12 10:01:21 2011
Date: Wed, 12 Jan 2011 16:01:15 +0100
From: =?ISO-8859-1?Q?Lor=E1nd_Jakab?= <ljakab@ac.upc.edu>
To: nanog@nanog.org
In-Reply-To: <4D2DB3BA.90308@foobar.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 01/12/2011 02:59 PM, Nick Hilliard wrote:
> On 21/03/2007 09:41, Tarig Ahmed wrote:
>> Is it true that NAT can provide more security?
>
> No.
>
> [snip]
>
> Your security guy will probably say that a private IP address will
> give better protection because it's not reachable on the internet.
> But the reality is if you have 1:1 NAT to a server port, then you have
> reachability and his argument becomes substantially invalid.
This setup will provide *less* security. Apart from the DoS scenario,
should your public facing server get compromised, you have given easy
access to your private infrastructure.
-Lorand Jakab
