In fact our firewall is stateful.
This is why I thought, we no need to Nat at least our servers.
Tarig Yassin Ahmed
On Jan 12, 2011, at 4:59 PM, Nick Hilliard <n...@foobar.org> wrote:
On 21/03/2007 09:41, Tarig Ahmed wrote:
Is it true that NAT can provide more security?
No.
Your security person is probably confusing NAT with firewalling, as
NAT devices will intrinsically do firewalling of various forms,
sometimes stateful, sometimes not. Stateful firewalling _may_
provide more security in some situations for low bandwidth
applications, at least before you're hit by a DoS attack; for high
bandwidth applications, stateful firewalling is usually a complete
waste of time.
Your security guy will probably say that a private IP address will
give better protection because it's not reachable on the internet.
But the reality is if you have 1:1 NAT to a server port, then you
have reachability and his argument becomes substantially invalid.
Most security problems are going to be related to poor coding anyway
(XSS, improper data validation, etc), rather than port reachability,
which is easy to fix.
Unfortunately, many security people from large organisations do not
appreciate these arguments, but instead write their own and other
peoples' opinions down and call them "policy". Changing policy can
be difficult.
Nick
