North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security gain from NAT
Jim Shankland wrote:
Owen DeLong <[email protected]> writes:
Not so. NATing source addresses from multiple source hosts towards the Internet anonymises the source machines so they can not be 'looked at' individually.
Additionally, NATing services on separate machines behind a single NATed address anonymises the services behind a single address.
Also, it is good to control the Internet addressable devices on your network by putting them behind a NAT device. That way you have less devices to concern yourself about that are directly addressable when they most likely need not be. You can argue that you can do the same with a firewall and a default deny policy but it's a hell of a lot easier to sneak packets past a firewall when you have a directly addressable target behind it than when it's all anonymous because it's NATed and the real boxes are on RFC1918.
So really, those who do not think there is a security gain from NATing don't see the big picture.
-- Leigh Porter