On Mon, 2002-11-18 at 17:27, [EMAIL PROTECTED] wrote: > > > We're about to put a public web server on DMZ sitting behind a Teir 1 > firewall and only allow http, ssl to it. We intend to assign a public IP > address to this server and no NAT'ing is done on the firewall for this > address (NATing done for internal network on Teir 2 firewall). > > It has been suggested that without NATing, it is possible for a hacker to > compromise this server and pretend to be our company... > That's correct, however it should have also been pointed out that this is true _with_ NAT as well.
> 1) While NAT address some security issues, doesn't this specific risk > exist regardless of whether NAT is employed or not? > NAT solves ip address allocation issues, it is not a security feature, there may be some minor security advantages in using NAT, but in general it doesn't protect you from much of anything. > 2) If NAT does help in this case, I'd appreciate comments as to how > > 3) Is there any good reading material on NAT security - specifically, > what it can and can't protect against. The stuff I've read doesn't seem > to talk about NAT in this context. > Again, this is because it doesn't protect you, the common belief is that because the internal machines don't have public IP addresses they are not accessible from the outside, but this is wrong. All it takes to bypass NAT is for the attacker to add a static route for your internal netblock that points at your router as a gateway. It is the responsibility of this router (which should include a firewall) to protect the internal network from attack, NAT alone won't do it. -- Jason Kohles [EMAIL PROTECTED] Senior Engineer Red Hat Professional Consulting
