On 14-05-01 14:34, Owen DeLong wrote:
Believe me, I cringe every time I hear “our auditors require NAT as a security mechanism”
Pardon my ignorance here. But in a carrier-grade NAT implementation that serves say 5000 users, when happens when someone from the outside tries to connect to port 80 of the shared routable IP ? you still need to have explicit port forwarding to specific LAN side hosts (like the web server) right ? Trying to be devil's advocate here: (and discussing only incoming calls) In a NAT setup for a company, wouldn't the concept be that you explicitely have to open a few ports to specific hosts ? (for instance 80 points to the web server LAN IP address) All the rest of the gazillion ports are blocked by default since the router doesn't know to which LAN host they should go. On the other hand, for a LAN with routable IPs, by default, all ports are routed to all computers, and security then depends on ACLs or other mechanisms to implement a firewall. Auditors probably prefer architecture where everything is blocked by default and you open specific ports compared to one where everything is open by default and you then add ACLs to implement security. (Not judging whether one is better, just trying to figure out why auditors might prefer NAT). Also, home routers have "NAT" which is really a combo of NAT with basic firewall, so if you don't have "NAT", they may equate this to not having a firewall.