Re: Is NAT can provide some kind of protection?

[Tarig Ahmed <tariq198487 () hotmail com>]

In fact our firewall is stateful.
This is why I thought, we no need to Nat at least our servers.


Tarig Yassin Ahmed


On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick () foobar org> wrote:

> On 21/03/2007 09:41, Tarig Ahmed wrote:
> > Is it true that NAT can provide more security?
>
> No.
>
> Your security person is probably confusing NAT with firewalling, as  
> NAT devices will intrinsically do firewalling of various forms,  
> sometimes stateful, sometimes not.  Stateful firewalling _may_  
> provide more security in some situations for low bandwidth  
> applications, at least before you're hit by a DoS attack;  for high  
> bandwidth applications, stateful firewalling is usually a complete  
> waste of time.
>
> Your security guy will probably say that a private IP address will  
> give better protection because it's not reachable on the internet.   
> But the reality is if you have 1:1 NAT to a server port, then you  
> have reachability and his argument becomes substantially invalid.   
> Most security problems are going to be related to poor coding anyway  
> (XSS, improper data validation, etc), rather than port reachability,  
> which is easy to fix.
>
> Unfortunately, many security people from large organisations do not  
> appreciate these arguments, but instead write their own and other  
> peoples' opinions down and call them "policy".  Changing policy can  
> be difficult.
>
> Nick