On Wed, Mar 21, 2007 at 5:41 AM, Tarig Ahmed <tariq198487@hotmail.com> wrote:
We have wide range of Public IP addresses, I tried to assign public ip directly to a server behined firewall( in DMZ), but I have been resisted. Security guy told me is not correct to assign public ip to a server, it should have private ip for security reasons.
Is it true that NAT can provide more security?
Hi Tarig, Yes NAT can provide more security, but not in the particular scenario you described. In your scenario, the firewall knows how to map incoming connections for the public address to your server's private address, so you won't see any benefit from NAT versus a merely stateful firewall -- a connection request will either get through the filter or it won't. If it gets through, the firewall knows where to send it. On the other hand, the use of any kind of stateful firewall (most of what we refer to as NAT firewalls keep per-connection state) increases your vulnerability to denial of services attacks: folks DOSing you can target both the server and the firewall's state table. So the use of NAT there is potentially counterproductive. In a client (rather than server) scenario, the picture is different. Depending on the specific "NAT" technology in use, the firewall may be incapable of selecting a target for unsolicited communications inbound from the public Internet. In fact, it may be theoretically impossible for it to do so. In those scenarios, the presence of NAT in the equation makes a large class of direct attacks on the interior host impractical, requiring the attacker to fall back on other methods like attempting to breach the firewall itself or indirectly polluting the responses to communication initiated by the internal host. In both cases there's a larger question: security value. The value of a security measure is the damage it prevents (risk times impact) minus the damage it causes (system usability, capability). NAT generally causes more damage than packet filters and other lighter-duty security measures. Look for an appropriate improvement in system security to counterbalance that damage. If you don't find it then don't use NAT. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.comĀ bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004