The NSA put together a "60 minute guide to securing your network"; which has an excellent breakdown of what ports you will want to block inbound and outbound, It also breaks them up into "should never be open", "may be open if needed", etc. type of categories.
The question I have is - What is going behind this router? Do you have / will you have a firewall as well ? If not, please consider the security implications of this - you would want to pay special attention to *every* machine to harden it and ensure that you also perform rudimentary patch=management . For thoroughness - the short answer to the original question is "both". :) Thanks! TJ -----Original Message----- From: Kent Hundley [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 10:18 AM To: [EMAIL PROTECTED] Subject: RE: NAT vs ACL [7:34728] It's not a question of either/or, NAT and ACL's will work perfectly fine together. Strictly speaking, NAT is not a security feature, although it does have some security related properties depending on how its implemented. For example, many NAT implementations will not allow inbound initiated connections to NATed IP addresses. (don't know if Cisco NAT has this property or not) Also, if you use PAT (also called NAT overload and Masquerading), inbound connections to the PAT address to non-mapped ports will be dropped, offering some level of protection to internal hosts. However, NAT is not a replacement for ACL's and some applications don't play well with NAT. If you have a registered address space, you don't _need_ NAT but your certainly need ACL's to protect yourself. If you properly use ACL's, it's likely that NAT isn't going to buy you much, if any, additional security. If you don't have registered address space, you will need to use NAT, and you definitely should use ACL's as well. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 8:43 PM To: [EMAIL PROTECTED] Subject: NAT vs ACL [7:34728] If my Cisco router needs to connect to the internet, what should I enable/use by default? NAT or Access List? ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34755&t=34728 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
