At 14:38 20/02/01 +0100, [EMAIL PROTECTED] wrote:
>Hi there,
>
>
>I would like to setup a outbound connexions as follow :
>
>
>Client---------Firewall----------proxy--------Firewall------Router-------Internet
>
>The router is performing NAT for all packets coming from inside networks to a
>range of 16 official IP addresses.
>
>Is this more secure than just static nat (one-to-one)?
NAT isn't a security measure by itself. It just happens that
it helps hiding addresses, but this is not a serious measure. It is only
one piece
that is used to build a secure environment.
With that in mind, you can say that dynamic NAT hides more than static NAT.
But this
depends on the attacks. If an attacker wants to connect to any internal
machine, then
dynamic NAT doesn't change the situation: the guy needs a mapping, nothing
more.
More precisely, if the guy sees, say http traffic (just an example, though
unrealistic)
coming from your network, and he knows how to attack http clients, then
static or dynamic
doesn't matter. the problem is whether the FW will allow the attacker packets.
On the other hand, if the guy sees http traffic and wants to attack some
other service
on the host, then dynamic mapings make it more complicated.
so, if you're confident in your filtering engine and that it won't let
illegitimate traffic going
through, then you can choose static or dynamic
Note that:
- static NAT requires the possession of more public IP addresses than
dynamic does
- but dynamic NAT plays with ports, and is thus more complex (more
overhead) and there
are some tricks. For example, if all addresses are mapped to the external
addr of the FW
(assuming you have only one), then it is not easy to guarantee that a port
used by the NAT
isn't used by the local IP stack. suppose a session is mapped to use
(1.2.3.4, TCP port=2345).
then port 2345 should not be used by an app running on the FW itself.
That's why you generally
need to assign correct port ranges for dynamic NAT.
There is a trap with static NAT too. You have to make sure that your static
NAT maping still requires
sessions to be initiated from the inside network. from a few
experimentations, I suspect that ipnat
doesn't require this. I'll have to check this more seriously (unless some
kind guy already knows
whether this is true or false, and the design decision behind...).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
