Mailing list for discussion of Firewall-1 wrote:
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ian
> Harris Sent: Tuesday, 26 April 2005 10:02 AM
>
> > At our org. most of our users ips are not hiding behind a NAT,
> > but will use the proxy servers address. Nowadays thou, there seems
> > to be more addon services that require ports that open separate tcp
> > connnections back to the originating host.
> >
> > This then requires the originating host to be NAT'ted for the
> > service to work.
> > My question is whether NAT'ing a whole subnet is a done thing
> > nowadays... and does it increase the security risk.
> >
> > Does anyone have any thoughts on this?
> >
> > cheers
> >
> > Ian
>
> CheckPoint has 2 ways to NAT an object
>
> Hide NAT
> Static NAT (source and destination)
>
> Hide NAT (many to one) is used for NATing networks either behind a
> specified IP or the IP of the gateway - this type of NAT can only be
> used for outbound connections
>
> Static NAT (one to one) is used for objects that require
> connections to be initiated inbound ie for web servers on a DMZ
>
> Hide NATing a whole subnet is a very common practice however this type
> of NAT will not solve your problem only Static NAT will
First, is NAT hiding behind NAT necessary?
When using public addresses for the whole network, it is not necessary
per se. When you are using RFC1918 addresses, yes you need a form of
hiding the internal addresses. May it be a proxy or a NAT rule.
And yes, hide NAT is done a lot nowadays. Some even use it as an extra
layer of security, which can be a good thing.
NAT does not inspect the higher layers of the protocol as a proxy can
do, so in this respect it may be a lesser security.
Keep in mind though that NAT was invented as a way to overcome the
limitations of the IPv4 address-space and as such has some drawbacks,
one of which is hiding (complex) services behind NAT, which can be a
pain.
Just my 0,02 euro
GRTNX,
RobJE
--
Home is near Enter. ((c) RonA)
--
De inhoud van dit bericht is vertrouwelijk en alleen bestemd voor de
geadresseerde(n). Anderen dan de geadresseerde(n) mogen het bericht niet
gebruiken, openbaar maken, op enige wijze verspreiden of vermenigvuldigen.
Meteo Consult B.V. kan niet aansprakelijk gesteld worden voor een incomplete
aankomst of vertraging van dit verzonden bericht.
The content of this message is confidential and only intended for the
addressee(s). Others than the addressee(s) are not allowed to use this message,
to make it public or to distribute or multiply this message in any way. Meteo
Consult B.V. cannot be held responsible for incomplete reception or delay of
this transferred message.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
