At 14:54 06/06/01 -0400, Michael T. Babcock wrote:
> > The definitive answer is that the concept of NAT has nothing to do with
> > security. Check the IETF working groups and see where is NAT.
>
>Modern NAT, like the real-time masquerading support in Linux has a
>lot to do with security.
My point is that the NAT concept is a transport concept. The security only
results from NAT implementations because/when they need to manage sessions,
and what concidence, stateful filtering is based on sessions.
take the following example:
- you have a network 10.* inside.
- you have a DMZ host 1.2.3.4
- they are all connected to the internet through your FW.
- you allow outbound from inside, and any dir to DMZ
so you configure NAT to map the 10.* class to a global address (1.2.3.10
for example).
now, when a packet comes from the internet, your NAT will check whether it
corresponds
to a NAT session (the dest addr must be 1.2.3.10 among other things). what does
NAT do if the dest addr is 1.2.3.4? the correct behaviour is to do nothing.
Naturally,
it should do so with any address except those correspoding to a NAT session.
This means NAT should not reject packets just because they are not part of a
mapping. As a result, NAT does not filter flow.
Besides, there is no modern NAT (NAT is NAT). What you are referring to is
a "suit"
that does both NAT and filtering. so it is a solution that implements many
things, not
just NAT. if you remove the filtering code and only keep the NAT code,
you're gonna
have problems.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
