On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
Your security person is probably confusing NAT with firewalling, as NAT
devices will intrinsically do firewalling of various forms, sometimes
stateful, sometimes not. Stateful firewalling _may_ provide more security
in some situations for low bandwidth applications, at least before you're
hit by a DoS attack; for high bandwidth applications, stateful firewalling
is usually a complete waste of time.
Your security guy will probably say that a private IP address will give
better protection because it's not reachable on the internet. But the
reality is if you have 1:1 NAT to a server port, then you have reachability
and his argument becomes substantially invalid. Most security problems are
going to be related to poor coding anyway (XSS, improper data validation,
etc), rather than port reachability, which is easy to fix.
Unfortunately, many security people from large organisations do not
appreciate these arguments, but instead write their own and other peoples'
opinions down and call them "policy". Changing policy can be difficult.
Nick
