NAT gives security for two kinds of hosts:
First, there are your "public" servers (www, smtp, etc..)
that are "behind" the NAT box (hopefully on the side,
not behind, DMZ style..) NAT is not really needed in this
case, nor does it add much security by itself. The two
most well-know NAT products, Firewall-1 and PIX, also
add security equivilent to access-lists on a router, with
the extra benefit of better logging if you choose, and they
are generally better at making sure someone isn't
doing a SYN attack, or pushing packets through with the
ACK bits set or some such.
The other machines that NAT protects are your inside
users, and it's easier to see why NAT is helpful in this case.
Typically, the administrator of the NAT box will have many inside
addresses map to fewer outside addresses. Since there is no
one-to-one mapping of outside addresses to inside addresses,
how would the box decide who on the inside gets the request if
someone on the outside tried to open a port on one of the public
addresses?
Ryan
---------- Previous Message ----------
To: Firewalls
cc: lazar
From: pollock @ houston.omnes.net (Don Pollock - Omnes - Engineering) @ smtp
Date: 11/26/96 10:23:34 AM
Subject: Re: Cisco's PIX firewall
>From: Irwin Lazar <lazar @
netevolve .
com>
[...]
>As far as the security aspects of PIX, it basically hides your entire
>network from the outside world. Unless your PIX is corrupted, hosts
>outside of your network can never directly connect to hosts within your
>network since private addresses are not routed on the Internet.
Huh? The incoming packets have their destination address changed, and then
they are passed right on to your network host. The whole purpose of address
translation is to allow packets to travel back and forth between your host and
the Internet.
True, Evil hosts can't initiate connections into your network, but NAT is
certainly not the only way to prevent that.
Oops. Now that I re-read what I've just written, it sounds like a flame. Let
me try again:
Will somebody please explain to me how address translation provides security?
Seems to me that if Evil Host sends an Evil Packet to Public Address, then the
NAT box will dutifully translate Public Address into Secret Address and then
pass the Evil Packet on. E.g. If one puts an smtp mail server behind an
address translation box, the server must have a *fixed* public address so that
the Internet can send mail to it.
Evil Host will not be able to initiate connections into Hidden Host, but Evil
Server will still be able to send Evil Data when requested.
Any other security functions of PIX are provided by traditional access lists,
with all their usual advantages and disadvantages, aren't they?
Thanks for any additional insight,
Don
pollock @
houston .
omnes .
net Network Systems Engineer +1 713 513 3017
Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The true mark of intelligence is to learn from the experiences of others.
-------------------------------------------------------------------------
|
|
