Re: NAT and Web Server Security

["Cheryl Goh" <cherylgoh () elock com my>]

When NAT is configured at the firewall to allow the public to access a web
server, it is a Static NAT which basically tells the firewall to forward all
traffic destined to the global address of a web server to the internal
address that is unknown to the public. All traffic is passed through and
therefore it will not prevent a hacker from penetrating the server. It will
however hide the ip addresses of all other internal servers, preventing
hackers from accessing those servers directly from the internet.


----- Original Message -----
From: <spato99 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, November 19, 2002 6:27 AM
Subject: NAT and Web Server Security


> We're about to put a public web server on DMZ sitting behind a Teir 1
> firewall and only allow http, ssl to it.  We intend to assign a public IP
> address to this server and no NAT'ing is done on the firewall for this
> address (NATing done for internal network on Teir 2 firewall).
>
> It has been suggested that without NATing, it is possible for a hacker to
> compromise this server and pretend to be our company...
>
> 1) While NAT address some security issues, doesn't this specific risk
> exist regardless of whether NAT is employed or not?
>
> 2) If NAT does help in this case, I'd appreciate comments as to how
>
> 3) Is there any good reading material on NAT security - specifically,
> what it can and can't protect against. The stuff I've read doesn't seem
> to talk about NAT in this context.
>
>
> Thanks