nanog mailing list archives

Re: Is NAT can provide some kind of protection?

From: Owen DeLong <owen () delong com>
Date: Wed, 12 Jan 2011 11:09:31 -0800


On Jan 12, 2011, at 9:04 AM, William Herrin wrote:

On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed <tariq198487 () hotmail com> wrote:

We have wide range of Public IP addresses, I tried to assign public ip
directly to a server behined firewall( in DMZ), but I have been resisted.
Security guy told me is not correct to assign public ip to a server, it
should have private ip for security reasons.

Is it true that NAT can provide more security?


Hi Tarig,

Yes NAT can provide more security, but not in the particular scenario
you described.

In your scenario, the firewall knows how to map incoming connections
for the public address to your server's private address, so you won't
see any benefit from NAT versus a merely stateful firewall -- a
connection request will either get through the filter or it won't. If
it gets through, the firewall knows where to send it. On the other
hand, the use of any kind of stateful firewall (most of what we refer
to as NAT firewalls keep per-connection state) increases your
vulnerability to denial of services attacks: folks DOSing you can
target both the server and the firewall's state table. So the use of
NAT there is potentially counterproductive.

In a client (rather than server) scenario, the picture is different.
Depending on the specific "NAT" technology in use, the firewall may be
incapable of selecting a target for unsolicited communications inbound
from the public Internet. In fact, it may be theoretically impossible
for it to do so. In those scenarios, the presence of NAT in the
equation makes a large class of direct attacks on the interior host
impractical, requiring the attacker to fall back on other methods like
attempting to breach the firewall itself or indirectly polluting the
responses to communication initiated by the internal host.

No, NAT doesn't provide additional security. The stateful inspection that
NAT cannot operate without provides the security. Take away the
address mangling and the stateful inspection still provides the same
level of security.

Owen

Current thread:

Re: Is NAT can provide some kind of protection?, (continued)
- - - Re: Is NAT can provide some kind of protection? David Barak (Jan 12)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? Dobbins, Roland (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
  - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)
    - Re: Is NAT can provide some kind of protection? Steven Kurylo (Jan 12)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
    - Re: Is NAT can provide some kind of protection? Chris Adams (Jan 12)
    - Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
    - Re: Is NAT can provide some kind of protection? david raistrick (Jan 12)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
    - Re: Is NAT can provide some kind of protection? Miquel van Smoorenburg (Jan 12)
    - Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)

(Thread continues...)