mailing list archives
Re: NAT and Web Server Security
From: Jason Kohles <jkohles () redhat com>
Date: 19 Nov 2002 16:20:56 -0500
On Mon, 2002-11-18 at 17:27, spato99 () hotmail com wrote:
We're about to put a public web server on DMZ sitting behind a Teir 1
firewall and only allow http, ssl to it. We intend to assign a public IP
address to this server and no NAT'ing is done on the firewall for this
address (NATing done for internal network on Teir 2 firewall).
It has been suggested that without NATing, it is possible for a hacker to
compromise this server and pretend to be our company...
That's correct, however it should have also been pointed out that this
is true _with_ NAT as well.
1) While NAT address some security issues, doesn't this specific risk
exist regardless of whether NAT is employed or not?
NAT solves ip address allocation issues, it is not a security feature,
there may be some minor security advantages in using NAT, but in general
it doesn't protect you from much of anything.
2) If NAT does help in this case, I'd appreciate comments as to how
3) Is there any good reading material on NAT security - specifically,
what it can and can't protect against. The stuff I've read doesn't seem
to talk about NAT in this context.
Again, this is because it doesn't protect you, the common belief is that
because the internal machines don't have public IP addresses they are
not accessible from the outside, but this is wrong. All it takes to
bypass NAT is for the attacker to add a static route for your internal
netblock that points at your router as a gateway. It is the
responsibility of this router (which should include a firewall) to
protect the internal network from attack, NAT alone won't do it.
Jason Kohles jkohles () redhat com
Senior Engineer Red Hat Professional Consulting