Is NAT can provide some kind of protection?

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I hesitate to venture into this thread, but while Owen is correct in the general 
case ("NAT qua NAT provides no more security than a stateful firewall"), there 
is a corner case in which security is improved via NAT.  The case is that of an 
enterprise network which uses 1918 addressing for all internal hosts, and uses 
proxies or other bastions as middleboxes to relay outbound communication.  

The security provided is that in the event of an accidental bridging of "inside" 
and "outside" networks (i.e. engineer plugged a cable between the wrong two 
switches), the hosts will not be able to initiate communication with Internet 
hosts.  Additionally, this same resiliency to accidental bridging does mean that 
the enterprise has a smaller number of possible Internet-facing machines, and 
thus can spend the time and effort to make them more robust.

That benefit is not huge (and not relevant to the typical home user, who is not 
configuring a super-duper scanning proxy server), but it does exist, and it 
certainly fuels some of the pro-NAT feeling I've encountered among customers.
 David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com


      

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]