RE: NAT external/Public IP



It doesn't tell you that you must use NAT. It tells you to properly
secure your internal address space SUCH AS PAT or NAT.

"1.5
Implement IP masquerading to prevent internal addresses from being
translated and revealed on the internet.
Use technologies that implement RFC 1918 address space, such as port
address translation (PAT) or network address translation (NAT)."

NAT doesn't make much of a difference in how secure a public IP is.
As long as the host is properly secured it should be no different than
hosting a DMZ.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jason Alexander
Sent: Thursday, October 25, 2007 10:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: NAT external/Public IP

If its not a security risk then why is it a PCI requirement?

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: 25 October 2007 15:49
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: NAT external/Public IP

On 2007-10-25 crazy frog crazy frog wrote:
On 24 Oct 2007 15:46:21 -0000, smarts_buy@xxxxxxxxx wrote:
Would like know is ther any security concern to bring in
external/public IP with out NAT to inside of the enterprise network.
Is it any way more secure if we use NAT?
[...]
2)If you allow lots of machine to direct access the internet with
external ip they may pose a security risk.

How would that pose a risk that would not exist with NAT'ed machines?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message.
Thank you.



Relevant Pages

  • Re: NAT Secure?
    ... >>> NAT secure from internet attack? ... It may 'compliment' a firewall (packet ... Now, depending on that web server, it could be ...
    (comp.security.firewalls)
  • Re: NAT Secure?
    ... >> NAT secure from internet attack? ... NAT itself is not a firewall. ... if you're running say a web server on port 80 and someone ...
    (comp.security.firewalls)
  • RE: [fw-wiz] NAT Pseudo Security
    ... In my expirence, fairly secure, but it all depends on what you're trying ... To do only NAT, you would be ... attacks, but I'm sure there are more that I'm not aware of. ... for protection from the Internet. ...
    (Firewall-Wizards)
  • Re: ISPs can easily decrease net abuse
    ... let me get this understood - you are staying that it's more secure ... >utilizing NAT?????? ... NAT doesn't make your network more secure, ... Bad taste is better than no taste -- Arnold Bennett ...
    (comp.security.misc)
  • Re: Systems behind NAT - port scanning etc.
    ... > it means to have a secure connection from here to there. ... was about how nat doesn't inherit security. ... or a QoS signaling protocol that didn't allow you ...
    (comp.security.firewalls)