Re: NAT and Web Server Security

[Jason Kohles <jkohles () redhat com>]

On Mon, 2002-11-18 at 17:27, spato99 () hotmail com wrote:
> We're about to put a public web server on DMZ sitting behind a Teir 1 
> firewall and only allow http, ssl to it.  We intend to assign a public IP 
> address to this server and no NAT'ing is done on the firewall for this 
> address (NATing done for internal network on Teir 2 firewall).  
>
> It has been suggested that without NATing, it is possible for a hacker to 
> compromise this server and pretend to be our company...
That's correct, however it should have also been pointed out that this
is true _with_ NAT as well.

> 1) While NAT address some security issues, doesn't this specific risk 
> exist regardless of whether NAT is employed or not?
NAT solves ip address allocation issues, it is not a security feature,
there may be some minor security advantages in using NAT, but in general
it doesn't protect you from much of anything.

 
> 2) If NAT does help in this case, I'd appreciate comments as to how
>
> 3) Is there any good reading material on NAT security - specifically, 
> what it can and can't protect against. The stuff I've read doesn't seem 
> to talk about NAT in this context.
Again, this is because it doesn't protect you, the common belief is that
because the internal machines don't have public IP addresses they are
not accessible from the outside, but this is wrong.  All it takes to
bypass NAT is for the attacker to add a static route for your internal
netblock that points at your router as a gateway.  It is the
responsibility of this router (which should include a firewall) to
protect the internal network from attack, NAT alone won't do it.

-- 
Jason Kohles                                 jkohles () redhat com
Senior Engineer                 Red Hat Professional Consulting