Mikael Olsson wrote:
>
> Aaron Wetherhold wrote:
> >
> > I�ve read this list for a while now, and something I�m still unsure about is
> > how secure is Network Address Translation as a security measure?
> >
>
> If your translator is dynamic and well written, you can be reasonably
> certain that people can't open connections from the outside to ports
> on the inside that you don't want them to connect to.
Again, any firewall does this.
NAT usually provides a service wherein incoming packets are blocked by
default unless they're responses to an internally initiated outgoing
connection. But you don't need NAT for that...just a state inspection
or proxy type firewall.
As far as blocking access to certain internal hosts:
access-list 100 deny ip any host ProtectedHostIP
NAT only hides addresses (useful only if you allow incoming
access), preserves address space, and possibly obfuscates
the address of internal systems to the outside by changing
it on each connection.
I fail to see any great security feature provided by NAT
over and above a state aware firewall and proper rules.
It adds to defense in depth but I'm not sure how much or
whether the complications are worth it.
Gary Flynn
Security Engineer
James Madison University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
