Is NAT can provide some kind of protection?

ML ml at kenweb.org
Wed Jan 12 14:52:39 UTC 2011


On 3/21/2007 6:25 AM, Tarig Ahmed wrote:
> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
>
>
> Tarig Yassin Ahmed
>
>
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick at foobar.org> wrote:
>
>> On 21/03/2007 09:41, Tarig Ahmed wrote:
>>> Is it true that NAT can provide more security?
>>
>> No.
>>
>> Your security person is probably confusing NAT with firewalling, as
>> NAT devices will intrinsically do firewalling of various forms,
>> sometimes stateful, sometimes not. Stateful firewalling _may_ provide
>> more security in some situations for low bandwidth applications, at
>> least before you're hit by a DoS attack; for high bandwidth
>> applications, stateful firewalling is usually a complete waste of time.
>>
>> Your security guy will probably say that a private IP address will
>> give better protection because it's not reachable on the internet. But
>> the reality is if you have 1:1 NAT to a server port, then you have
>> reachability and his argument becomes substantially invalid. Most
>> security problems are going to be related to poor coding anyway (XSS,
>> improper data validation, etc), rather than port reachability, which
>> is easy to fix.
>>
>> Unfortunately, many security people from large organisations do not
>> appreciate these arguments, but instead write their own and other
>> peoples' opinions down and call them "policy". Changing policy can be
>> difficult.
>>
>> Nick
>>
>>
>

Tarig is sending email from the past. Spooky.




More information about the NANOG mailing list