[134835] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Greg Ihnen)
Wed Jan 12 10:38:23 2011
From: Greg Ihnen <os10rules@gmail.com>
In-Reply-To: <BLU0-SMTP110859506F1CE43A5E38007BBF10@phx.gbl>
Date: Wed, 12 Jan 2011 11:06:37 -0430
To: Tarig Ahmed <tariq198487@hotmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your =
server is still public facing.
If your firewall is merely stateful and not deep packet inspecting all =
it's doing is seeing is that the statefulness of the connection meets =
it's requirements. You could have that and still have all kinds of =
naughtiness going on.
Greg
On Mar 21, 2007, at 6:25 AM, Tarig Ahmed wrote:
> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
>=20
>=20
> Tarig Yassin Ahmed
>=20
>=20
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick@foobar.org> wrote:
>=20
>> On 21/03/2007 09:41, Tarig Ahmed wrote:
>>> Is it true that NAT can provide more security?
>>=20
>> No.
>>=20
>> Your security person is probably confusing NAT with firewalling, as =
NAT devices will intrinsically do firewalling of various forms, =
sometimes stateful, sometimes not. Stateful firewalling _may_ provide =
more security in some situations for low bandwidth applications, at =
least before you're hit by a DoS attack; for high bandwidth =
applications, stateful firewalling is usually a complete waste of time.
>>=20
>> Your security guy will probably say that a private IP address will =
give better protection because it's not reachable on the internet. But =
the reality is if you have 1:1 NAT to a server port, then you have =
reachability and his argument becomes substantially invalid. Most =
security problems are going to be related to poor coding anyway (XSS, =
improper data validation, etc), rather than port reachability, which is =
easy to fix.
>>=20
>> Unfortunately, many security people from large organisations do not =
appreciate these arguments, but instead write their own and other =
peoples' opinions down and call them "policy". Changing policy can be =
difficult.
>>=20
>> Nick
>>=20
>>=20
>=20
