> Delivered-To: [EMAIL PROTECTED]
> Date: Tue, 25 Apr 2000 16:56:57 +0900
> From: horio shoichi <[EMAIL PROTECTED]>
> To: Oscar Rau <[EMAIL PROTECTED]>
> CC: Firewalls <[EMAIL PROTECTED]>
> Subject: Re: NAT a security solution??
> In practice where NAT is used in translating internal ip/port into
> external
> one (dynamic NAT), there is no way for NAT to translate arbitrary
> connection
> requests into internal addresses, hence such requests cannot penetrate
> inside,
> NAT is said safe. However, note that internal hosts that have
> dynamically
> mapped ip/port are addressable from outside while the map is effective.
Just a comment on this. It really depends on what type of box
is doing your NAT. In SunScreen EFS, a firewall, the NAT is associated with
a state table entry. So, even if it is actively translating
something like: 10.100.100.10 to 216.216.190.12, and this
is a dynamic translation rule, then new traffic cannot connect
in using the public NAT address (only responses that match
the state table entry).
I'm sure others handle NAT differently, though, so it is good
to investigate how your vendor handles it.
I agree with you that NAT is NOT a security solution. It is
useful for topology hiding and for providing access to the internet
for many hosts when you only have few registered IP addresses.
If you want to do content filtering, look into proxies.
If you need to prevent people from coming into your network,
you should look into firewalls or routers that implement what
you need.
hth
Valerie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
