Security Basics mailing list archives
Re: NAT and Web Server Security
From: Jason Kohles <jkohles () redhat com>
Date: 19 Nov 2002 16:20:56 -0500
On Mon, 2002-11-18 at 17:27, spato99 () hotmail com wrote:
We're about to put a public web server on DMZ sitting behind a Teir 1 firewall and only allow http, ssl to it. We intend to assign a public IP address to this server and no NAT'ing is done on the firewall for this address (NATing done for internal network on Teir 2 firewall). It has been suggested that without NATing, it is possible for a hacker to compromise this server and pretend to be our company...
That's correct, however it should have also been pointed out that this is true _with_ NAT as well.
1) While NAT address some security issues, doesn't this specific risk exist regardless of whether NAT is employed or not?
NAT solves ip address allocation issues, it is not a security feature, there may be some minor security advantages in using NAT, but in general it doesn't protect you from much of anything.
2) If NAT does help in this case, I'd appreciate comments as to how 3) Is there any good reading material on NAT security - specifically, what it can and can't protect against. The stuff I've read doesn't seem to talk about NAT in this context.
Again, this is because it doesn't protect you, the common belief is that because the internal machines don't have public IP addresses they are not accessible from the outside, but this is wrong. All it takes to bypass NAT is for the attacker to add a static route for your internal netblock that points at your router as a gateway. It is the responsibility of this router (which should include a firewall) to protect the internal network from attack, NAT alone won't do it. -- Jason Kohles jkohles () redhat com Senior Engineer Red Hat Professional Consulting
Current thread:
- NAT and Web Server Security spato99 (Nov 19)
- Re: NAT and Web Server Security Jason Kohles (Nov 21)
- Re: NAT and Web Server Security Cheryl Goh (Nov 25)