Is it true that NAT can provide more security?
Thanks,
Tarig Yassin Ahmed
You are going to get different answers from different people. In and of itself it doesn't provide security but it does place one more layer of difficulty in getting at your internal machines. On the other hand, NAT makes many things a lot more difficult than they need to be in many cases and outright breaks some protocols (SCTP, for example). On one hand, yes, it can make direct addressing of your servers more difficult but doesn't guarantee anything. RFC1918 routes should not be routed over the internet but sometimes people "leak" them and sometimes people accept such leaked routes. So there is the possibility that someone could "see" a route to your RFC1918 space. But on the other hand, even if you did "leak" the route, the odds of someone being able to reliably connect to your network is pretty low because if they are accepting such leaked routes from you, they might be accepting them from others, too. And your upstream's peers are probably filtering 1918 space and most likely route traffic destined to rfc1918 space they aren't using to a black hole. But your security person needs to shift their thinking because the purpose of NAT and private addressing is to conserve IP address, not to provide security. With IPv6, the concept of NAT goes away. You servers will need public IP addresses if they are going to transact information across the Internet. So the "security" concerns of public IP space are moot when it comes to IPv6.