Is NAT can provide some kind of protection?

Greg Ihnen os10rules at gmail.com
Wed Jan 12 09:36:37 CST 2011


+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your server is still public facing.

If your firewall is merely stateful and not deep packet inspecting all it's doing is seeing is that the statefulness of the connection meets it's requirements. You could have that and still have all kinds of naughtiness going on.

Greg

On Mar 21, 2007, at 6:25 AM, Tarig Ahmed wrote:

> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
> 
> 
> Tarig Yassin Ahmed
> 
> 
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick at foobar.org> wrote:
> 
>> On 21/03/2007 09:41, Tarig Ahmed wrote:
>>> Is it true that NAT can provide more security?
>> 
>> No.
>> 
>> Your security person is probably confusing NAT with firewalling, as NAT devices will intrinsically do firewalling of various forms, sometimes stateful, sometimes not.  Stateful firewalling _may_ provide more security in some situations for low bandwidth applications, at least before you're hit by a DoS attack;  for high bandwidth applications, stateful firewalling is usually a complete waste of time.
>> 
>> Your security guy will probably say that a private IP address will give better protection because it's not reachable on the internet.  But the reality is if you have 1:1 NAT to a server port, then you have reachability and his argument becomes substantially invalid.  Most security problems are going to be related to poor coding anyway (XSS, improper data validation, etc), rather than port reachability, which is easy to fix.
>> 
>> Unfortunately, many security people from large organisations do not appreciate these arguments, but instead write their own and other peoples' opinions down and call them "policy".  Changing policy can be difficult.
>> 
>> Nick
>> 
>> 
> 





More information about the NANOG mailing list