From: "Steven M. Bellovin" <smb(_at_)research(_dot_)att(_dot_)com>
In message <001501bfaf43$127e4d00$3490130a(_at_)cisco(_dot_)com>, "Eliot Lear"
It is a complete fallacy that NAT provides any sort of security. It does
no such thing. Security is provide by a firewall, and (more importantly)
by strong security policies that are policed and enforced.
Eliot is absolutely right. A NAT box *might* be part of a firewall, but by
itself it isn't one. It's no more secure, and often less so, than an
You both right ... from strong point of view. But if intruder
can't hook target host simply because he does not know - how he can open
TCP to it then it is also part of security.
The myth that NATs per se provide strong security is one of the greatest
barriers to their elimination.
It is not a myth. It is level of thinking. If you setup only firewall
and you are not very good network engineer you can't understand where could
be the next threat. Your TCP stack/firewall/etc may have a bug, some new
protocol may have a misdesign. But anybody clear understand that if your
internal hosts do not have a public address then all attacks may be
only static - wait until internal host open TCP to somewhere. And this
kind of attack may be at least investigated and compromised external host
may be found.
I am not NAT defender but I recognize how IS dept thinks.
I prefer a mixed solution like uniq host system ID + some controllable
- Leonid Yegoshin, LY22