From a security stand point, if someone is using a Sonicwall firewall doing one-to-one NAT public to private, is that any more secure than someone using public ip's inside their network with the proper access-lists?
One-to-One NAT public to prvate is safer than using public address with good acl's. With nat u will hde ur original IP. This will protect ur server from any type of attack. If u use a public IP , u will definitely have few ports or services open, which can be exploited.
I'm afraid I have to slightly disagree. Comparing the two apples to apples public routed internall versus nat translated to private is virtually the same thing from a security standpoint. It's the acl's and other rules (fixup, etc.) that secure it. Nat translation while still leaving all ports opened is just as unsafe as a routed public wide opened.
So reading the responses above, I think I would be correct in saying that a one-to-one NAT is no more secure than a public inside IP assuming that the same ports were locked down in both instances. Is this correct?
I would add that although both approaches are about the same in terms of security, NAT does provide the ability to "hide" your internal IP layout. The less a would be attacker knows about your internal network, the better off you are. So I'd say the NAT approach is slightly more secure. Of course as the other poster stated, the most important thing is to have good ACLs, rules, filtering, etc. than anything else whichever approach you'd choose.
I know you didn't ask but I would also point out an additional benefit of NAT that is not security related is that if you ever switch ISPs, it is much easier to have to change only the firewall NAT one to one mappings than to have to change the legal IPs of all your hosts AND the firewall.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...