David,
NAT is not an IP Address conservation technique, stateful inspection is a
firewall technology. Comparing the two is like comparing apples and
oranges. Most stateful inspection firewalls implement NAT as well. But
the key difference is NAT does not provide and mechanism for filtering IP
traffic, and stateful inspection filters IP traffic based on a dynamic
state table that is updated intelligently based on information collected
in all seven layers of the IP traffic.
I see a lot of people using NAT as a security device. This is not true.
It provides some security through obscurity by hiding internal addressing
schemes, but that is it. Any packets that makes it to the NAT device can
go anywhere in the internal network. This can be accomplished with source
routing, etc. A good ingress policy can block a lot of this type of
traffic, but this does not make NAT a filtering system.
I hope this helps.
Eric Schroeder
David Ellis <[EMAIL PROTECTED]>
05/02/2002 05:01 PM
To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
cc:
Subject: Nat versus stateful inspection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi List, I was wondering if someone could clarify something for me, I
know that NAT was developed with conservation of address space in
mind and not with security. What are the implications and security
aspects of just using NAT as a firewall instead of going with a
stateful inspection firewall? Are their vulnerabilities in NAT and if
so what are they. What are the differences of NAT versus stateful
inspection etc. Any thorough explanations would be greatly
appreciated or links to articles, etc.
Sincerely,
David Ellis
Systems Engineer
MCSE, CCSE, CCA, CCNA
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPNHFK6raIKo8Q3RHEQJ1rACfYosydrUlWVg2/pa4hJCjdQtzeUwAnjOd
01Q45VbLYRUGdjqNllgUZ11Q
=yut+
-----END PGP SIGNATURE-----
