[134863] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 12 14:15:15 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTi=6u5aWtx6KQpWx02o6qMM-Cnxw+v3MAnPA-Gnp@mail.gmail.com>
Date: Wed, 12 Jan 2011 11:09:31 -0800
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 9:04 AM, William Herrin wrote:
> On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed <tariq198487@hotmail.com> =
wrote:
>> We have wide range of Public IP addresses, I tried to assign public =
ip
>> directly to a server behined firewall( in DMZ), but I have been =
resisted.
>> Security guy told me is not correct to assign public ip to a server, =
it
>> should have private ip for security reasons.
>>=20
>> Is it true that NAT can provide more security?
>=20
> Hi Tarig,
>=20
> Yes NAT can provide more security, but not in the particular scenario
> you described.
>=20
> In your scenario, the firewall knows how to map incoming connections
> for the public address to your server's private address, so you won't
> see any benefit from NAT versus a merely stateful firewall -- a
> connection request will either get through the filter or it won't. If
> it gets through, the firewall knows where to send it. On the other
> hand, the use of any kind of stateful firewall (most of what we refer
> to as NAT firewalls keep per-connection state) increases your
> vulnerability to denial of services attacks: folks DOSing you can
> target both the server and the firewall's state table. So the use of
> NAT there is potentially counterproductive.
>=20
> In a client (rather than server) scenario, the picture is different.
> Depending on the specific "NAT" technology in use, the firewall may be
> incapable of selecting a target for unsolicited communications inbound
> from the public Internet. In fact, it may be theoretically impossible
> for it to do so. In those scenarios, the presence of NAT in the
> equation makes a large class of direct attacks on the interior host
> impractical, requiring the attacker to fall back on other methods like
> attempting to breach the firewall itself or indirectly polluting the
> responses to communication initiated by the internal host.
>=20
No, NAT doesn't provide additional security. The stateful inspection =
that
NAT cannot operate without provides the security. Take away the
address mangling and the stateful inspection still provides the same
level of security.
Owen
