I think perhaps you misunderstood my two cases..
In case number two, where you say that inside hosts
(like an SMTP server) have no protection...true. That's
case number one. NAT does offer some security for
hosts doing the many-to-few address translation thing.
The NAT box I'm most familiar with (firewall-1) will
do some extra things when doing one-to-one NAT,
such as not allowing a duplicate reply in, etc..
Not sure why this would help security in any way,
but what the heck.. NAT does do a little more than
just plain access-lists on a router..
As far as the case you mention, there isn't any really good
way to firewall services that you WANT outside people
to get at. You could have a proxy in the middle, but then
you might as well have a well-written server process
to begin with. It's about the same exercise. The
modularity might be useful with that arrangement though..
might allow inside people to access everything, and outside
people less access...but I would recommend against have
machines truly "inside" offering public services.
---------- Previous Message ----------
To: firewalls, Ryan.Russell
From: Russ.Cooper @ RC.on.ca (Russ) @ smtp
Date: 11/27/96 06:23:38 AM
Subject: RE: Cisco's PIX firewall
>NAT gives security for two kinds of hosts:
1. Public hosts...<snip>..."NAT is not really needed in this case, nor
does it add much security by itself."...<snip>
2. Internal hosts...<snip>...stuff about no one-to-one mapping...but
there is a one-to-one mapping to anything that is inside a NAT and is
going to accept inbound connections...like an internal SMTP server for
example. Then there's the fact that once an internal host makes a
connection through a NAT, it can then be tampered with as if there was
If someone asked me what security NAT provides, I'd say none at all.
Firewall-1 and PIX offer security, and, they offer NAT. NAT is not a
security product, it may obscure things, but it protects nothing by
R.C. Consulting, Inc. - NT/Internet Security Consulting
ca <-- *note the new address*