Re: To NAT or not to NAT

>From my point of view, first of all you must carefully
study the security requirements of your network and from there create an architecture.

NAT is not good nor it's bad. It depends on your needs and how you use it.

It's true that NAT can be a pita in some situations (like creating VPNs), that's why you should carefully study your current and possible future needs.

You must also think of your security requirements. Are all your machines equally important? Are some of them more critical than others? Are some machines more exposed and running more dangerous services than others? Are some hosts supposed to not need internet access at all?

If so, use all your resources to create different "security zones", separated by firewalls/routers as necessary. Don't allow any traffic between them if it's not required. For that purpose you can subnet your external network or use NAT and introduce new subnets, whatever suits you best.

NAT can provide some extra security against misconfigurations, and may hide that you are running a bigger network (maybe making it less attractive to attackers)... However, it's true, as some others pointed out, that it does not provide anything that a good firewall configuration wouldn't.

Aaron
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Received on Fri Jan 10 08:42:16 2003