[Dshield] NAT: Secure?

Micheal Patterson micheal at cancercare.net
Thu Aug 28 22:07:10 GMT 2003


----- Original Message ----- 
From: "Alan Frayer" <afrayer at frayernet.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, August 28, 2003 9:06 AM
Subject: Re: [Dshield] NAT: Secure?


> On Thu, 2003-08-28 at 00:31, Micheal Patterson wrote:
>
> > I've always looked at NAT as a rudimentary stateful firewall personally
as
> > that's how it functions by design. You can circumvent this by placing
what
> > is called a static NAT map / translation that will redirect inbound
traffic
> > to say, port 25, to an internal machine on port 25.  Most of the
cable/dsl
> > routers have the ability to set up one static host entry to divert all
> > traffic to the outside IP to one system internally. This option doesn't
work
> > if you have your services on multiple internal systems however.  In my
> > opinion, NAT itself, is a good start, a NAT + firewall combination is
always
> > better since NAT will take any outbound traffic and create a dynamic
link
> > for it.
>
> Would you put the firewall on the outside of the NAT, or on the inside?
>
> ________________________________________________________________________
> Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
> Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
> If you would like to discuss an opportunity with me, please e-mail.

That would depend on the scenerio. If you have more than one real IP that
you can use, put it outside. If you don't have the IP's to spare, put it
directly behind the NAT before the LAN switch / Hub.

--

Micheal Patterson
TSG Network Administration
405-917-0600




More information about the list mailing list