RE: Penetrating a NAT

[Cessna, Michael]

Title: RE: Penetrating a NAT

Since NAT hides the Internal IP address yet does not limit connections in any way, shouldn't NAT be considered 'Security by Obfuscation'?

We all know that NAT alone is not the answer. I am pretty new to the security field and even I know that. However NAT is a great tool that we all use. The fact that it hides the internal IP addresses of our networks has the side effect of making an attacker go through another step, and since the best security policy is a layered approach, why can't we treat NAT a one of those layers? Sure it doesn't take much to get past it but if it causes more work to get through that gives us more time to detect the attack.

We shouldn't think of NAT as a firewall in and of itself but more as a layer of a firewall.

-> IOW, you may

-> be able to drive nails with your forehead, a dead cat, or last month's

-> half-eaten baguette, but why not use the hammer lying next to you?

->

-> Michael

-Sometimes all you have is that cat.

That must be one beat up cat! But if that's all you can get out of the bean counters in accounting then at least it's something. And even a dead cat will scare off the timid or inexperienced mice.

Michael Cessna
Systems Administrator
RealTime Media
308 Lancaster Ave.
Wynnewood, PA 19096
p.610-896-9400 x308
f.610-896-9416
[EMAIL PROTECTED]
www.realtimemedia.com
www.prizes.com

-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 04, 2001 8:57 PM
To: [EMAIL PROTECTED]
Subject: RE: Penetrating a NAT

[me failing to type]
>This is me saying that NAT is very secure - it's me
> saying that
> it's more secure than many people claim.

Uh...this is NOT me saying that NAT is very secure. I'm not _that_ crazy. ;)

--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304