"Steve Riley (MCS)" wrote:
>
> Some "security experts" claim that NAT could be used as a firewall (or
> let's say, some means of hiding the internal network).
No security expert I know would assert such a thing. If they did, I'd
give their title an instant expertectomy.
> I have a question
> about that. The assumption is that no packets could be sent directly
> from the Internet to clients behind NAT. However, imagine this scenario
> and tell me whether it's feasible.
As someone stated in an earlier response, you're describing a TCP
session splice. NAT doesn't have any relevance to a session splice.
All the implementations that I know of many-to-one NAT (sometimes called
"hide NAT") will prevent connections from being *initiated* from the
side that has the "one" hiding IP address, going to an IP address of the
"many". In that sense, you gain some security over having routable
addresses on the many, but that's not what you should be relying upon to
protect the "many". Use explicit filtering rules or proxies, whichever
is applicable.
Michael
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
