Is NAT can provide some kind of protection?

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21/03/2007 09:41, Tarig Ahmed wrote:
> Is it true that NAT can provide more security?

No.

Your security person is probably confusing NAT with firewalling, as NAT 
devices will intrinsically do firewalling of various forms, sometimes 
stateful, sometimes not.  Stateful firewalling _may_ provide more security 
in some situations for low bandwidth applications, at least before you're 
hit by a DoS attack;  for high bandwidth applications, stateful firewalling 
is usually a complete waste of time.

Your security guy will probably say that a private IP address will give 
better protection because it's not reachable on the internet.  But the 
reality is if you have 1:1 NAT to a server port, then you have reachability 
and his argument becomes substantially invalid.  Most security problems are 
going to be related to poor coding anyway (XSS, improper data validation, 
etc), rather than port reachability, which is easy to fix.

Unfortunately, many security people from large organisations do not 
appreciate these arguments, but instead write their own and other peoples' 
opinions down and call them "policy".  Changing policy can be difficult.

Nick

• Previous message (by thread): Is NAT can provide some kind of protection?
• Next message (by thread): Is NAT can provide some kind of protection?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]