> NAT, as a concept, offers fine security.
>
NAT is a connectivity concept. The added security is a side-effect. IMHO,
NAT definitely does not add *fine* security. IMHO, it doesn't help you any
more than a stateful packet filter.
> If you can't route to the internal
> network, you can't reach the internal network.
>
I want to make sure my filter drops traffic that isn't meant to get into my
network, regardless of whether that traffic reaches it or not. NAT improves
over basic packet filters in that it inherently introduces state. However,
that's what stateful filters do as well. And both need special code to
handle non-NAT-friendly protocols, such as FTP, etc. That's the first place
that's compromisable. Additionally, most of the time NAT is performed on the
firewall itself, which means that the firewall must accept packets destined
to itself. I have a general creepy feeling about that... And there have been
examples of NAT implementations being buggy and subject to manipulation from
the outside. Bottom line: NAT is a weak element of security.
> On the other hand, using NAT
> alone is a little like putting all your eggs in one basket -- you need to
> WATCH THAT BASKET. If the NAT router (or whatever you're using) is
> compromised, then your internal network is at risk.
>
This applies to any firewall and can be addressed preventatively with
architectural measures alone. Detection and response play an important part
in security, you should watch each and every basket you've got.
Cheers,
Tobias
--
Tobias Reckhard
secunet
Security Networks AG Tel : +49(6196)95888-42
Mergenthalerallee 77 Fax : +49(6196)95888-88
D-65760 Eschborn E-Mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
