Re: [FW-1] IS hiding behind NAT always necessary

Subject:	Re: [FW-1] IS hiding behind NAT always necessary
From:	Jean-Paul Baillon <JPBaillon AT CONTENTWISE.COM DOT AU>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 26 Apr 2005 10:48:06 +1000

CheckPoint has 2 ways to NAT an object

Hide NAT
Static NAT (source and destination)

Hide NAT (many to one) is used for NATing networks either behind a
specified IP or the IP of the gateway - this type of NAT can only be
used for outbound connections

Static NAT (one to one) is used for objects that require connections to
be initiated inbound ie for web servers on a DMZ

Hide NATing a whole subnet is a very common practice however this type
of NAT will not solve your problem only Static NAT will


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ian
Harris
Sent: Tuesday, 26 April 2005 10:02 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] IS hiding behind NAT always necessary

At our org. most of our users ips are not hiding behind a NAT, but will
use the proxy servers address. Nowadays thou, there seems to be more
addon services that require ports that open separate tcp connnections
back to the originating host.

This then requires the originating host to be NAT'ted for the service to
work.
My question is whether NAT'ing a whole subnet is a done thing
nowadays... and does it increase the security risk.

Does anyone have any thoughts on this?

cheers

Ian

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] IS hiding behind NAT always necessary, Ian Harris Re: [FW-1] IS hiding behind NAT always necessary, Ray Re: [FW-1] IS hiding behind NAT always necessary, fwguru Re: [FW-1] IS hiding behind NAT always necessary, Jean-Paul Baillon <= Re: [FW-1] IS hiding behind NAT always necessary, Rob Epping

Previous by Date:	Re: [FW-1] Objects i need to backup, Pascual Perez
Next by Date:	Re: [FW-1] Does a stealth rule disable Client Authentication?, Sascha Picchiantano
Previous by Thread:	Re: [FW-1] IS hiding behind NAT always necessary, fwguru
Next by Thread:	Re: [FW-1] IS hiding behind NAT always necessary, Rob Epping
Indexes:	[Date] [Thread] [Top] [All Lists]