Re: Is NAT can provide some kind of protection?

[Greg Ihnen <os10rules () gmail com>]

+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your server is still public facing.

If your firewall is merely stateful and not deep packet inspecting all it's doing is seeing is that the statefulness of 
the connection meets it's requirements. You could have that and still have all kinds of naughtiness going on.

Greg

On Mar 21, 2007, at 6:25 AM, Tarig Ahmed wrote:

> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
>
>
> Tarig Yassin Ahmed
>
>
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard <nick () foobar org> wrote:
>
> > On 21/03/2007 09:41, Tarig Ahmed wrote:
> > > Is it true that NAT can provide more security?
> >
> > No.
> >
> > Your security person is probably confusing NAT with firewalling, as NAT devices will intrinsically do firewalling of 
> > various forms, sometimes stateful, sometimes not.  Stateful firewalling _may_ provide more security in some 
> > situations for low bandwidth applications, at least before you're hit by a DoS attack;  for high bandwidth 
> > applications, stateful firewalling is usually a complete waste of time.
> >
> > Your security guy will probably say that a private IP address will give better protection because it's not reachable 
> > on the internet.  But the reality is if you have 1:1 NAT to a server port, then you have reachability and his 
> > argument becomes substantially invalid.  Most security problems are going to be related to poor coding anyway (XSS, 
> > improper data validation, etc), rather than port reachability, which is easy to fix.
> >
> > Unfortunately, many security people from large organisations do not appreciate these arguments, but instead write 
> > their own and other peoples' opinions down and call them "policy".  Changing policy can be difficult.
> >
> > Nick