Re: Is NAT can provide some kind of protection?

[ML <ml () kenweb org>]

On 3/21/2007 6:25 AM, Tarig Ahmed wrote:
> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
>
>
> Tarig Yassin Ahmed
>
>
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick () foobar org> wrote:
>
> > On 21/03/2007 09:41, Tarig Ahmed wrote:
> > > Is it true that NAT can provide more security?
> >
> > No.
> >
> > Your security person is probably confusing NAT with firewalling, as
> > NAT devices will intrinsically do firewalling of various forms,
> > sometimes stateful, sometimes not. Stateful firewalling _may_ provide
> > more security in some situations for low bandwidth applications, at
> > least before you're hit by a DoS attack; for high bandwidth
> > applications, stateful firewalling is usually a complete waste of time.
> >
> > Your security guy will probably say that a private IP address will
> > give better protection because it's not reachable on the internet. But
> > the reality is if you have 1:1 NAT to a server port, then you have
> > reachability and his argument becomes substantially invalid. Most
> > security problems are going to be related to poor coding anyway (XSS,
> > improper data validation, etc), rather than port reachability, which
> > is easy to fix.
> >
> > Unfortunately, many security people from large organisations do not
> > appreciate these arguments, but instead write their own and other
> > peoples' opinions down and call them "policy". Changing policy can be
> > difficult.
> >
> > Nick

Tarig is sending email from the past. Spooky.