[Dshield] NAT: Secure?

Micheal Patterson micheal at cancercare.net
Thu Aug 28 22:07:10 GMT 2003

----- Original Message ----- 
From: "Alan Frayer" <afrayer at frayernet.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, August 28, 2003 9:06 AM
Subject: Re: [Dshield] NAT: Secure?

> On Thu, 2003-08-28 at 00:31, Micheal Patterson wrote:
> > I've always looked at NAT as a rudimentary stateful firewall personally
> > that's how it functions by design. You can circumvent this by placing
> > is called a static NAT map / translation that will redirect inbound
> > to say, port 25, to an internal machine on port 25.  Most of the
> > routers have the ability to set up one static host entry to divert all
> > traffic to the outside IP to one system internally. This option doesn't
> > if you have your services on multiple internal systems however.  In my
> > opinion, NAT itself, is a good start, a NAT + firewall combination is
> > better since NAT will take any outbound traffic and create a dynamic
> > for it.
> Would you put the firewall on the outside of the NAT, or on the inside?
> ________________________________________________________________________
> Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
> Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
> If you would like to discuss an opportunity with me, please e-mail.

That would depend on the scenerio. If you have more than one real IP that
you can use, put it outside. If you don't have the IP's to spare, put it
directly behind the NAT before the LAN switch / Hub.


Micheal Patterson
TSG Network Administration

More information about the list mailing list