In some mail from Todd Graham Lewis, sie said:
> On Thu, 2 Jan 1997, Russ wrote:
>
> > Their network diagram describing how the system would be placed has it
> > behind a router and in front of the internal LAN. So now someone would
> > seem to think that it is highly desirable to dedicate an NT Workstation
> > to the task of NAT-only. Me thinks you could probably get a new router
> > that supports NAT for less money.
>
> I sincerely agree. A much better choice would have been a 386 running a
> non-bloated OS w/ IP Masquerade. There was a description of just such a
> setup in this month's SysAdmin magazine for anyone interested.
IP Masquerading (and Linux is the only place it is called such) is NAT,
so your "better choice" really isn't better at all.
Whilst you could buy a PIX or some other router which does the same, they
are only more secure in the sense that it isn't running a "normal" OS -
it is still running IOS (or whatever it must) and that can still be "broken
into" so the gain is minimal.
NAT doesn't buy you "security", except for security by obscurity and a
little more. If the NAT product works as they all should, it should _NOT_
be possible to target an internal machine without it having initiated an
external communication first. The obscurity: the attacker doesn't have
`direct' access to the internal hosts; the bit extra is if a host inside
never requires the NAT, it never has an external IP#.
Relying on NAT alone is dangerous, as so long the mapping exists, the host
can be attacked.
Darren
p.s. in case you missed it, IP Masquerading is NOT more secure than NAT.
References:
-
RE: NT NAT
From: Todd Graham Lewis <lists @
reflections .
mindspring .
com>
|
|
