On Mon, Apr 24, 2000 at 01:25:49PM -0400, Oscar Rau wrote:
> Many network engineers I have met repeatedly said that NAT is a temporary
> solution to handle lack of IP addresses. It is not a security solution.
> Besides, the services allowed into the network don't care what address the host
> has. If the service is vulnerable, then how can NAT help?
>
> Is Network Address Translation (NAT) a security solution?
Yes it is when the following conditions count:
1. no routing is allowed to the internal network (NAT address pool)
2. NAT is allowed only from one direction: internal to outside.
(no external connections may pass)
Very often one uses RFC1918 (private IP-Addresses) for internal use therefore
rule 1 applies.
The point is, that it now reacts as a diode router: only connections from
inside may initiate successful connections. This surely doesn't protect
from attacks which are made with these connections.
Facit: it provides a minimum security at a minimum of configuration effort.
with kind regards,
Jochen Kaiser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
