Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
5
Helpful
7
Replies

Static NAT vs. Public

sross35
Level 1
Level 1

‎03-01-2004 06:12 AM - edited ‎03-02-2019 01:56 PM

From a security stand point, if someone is using a Sonicwall firewall doing one-to-one NAT public to private, is that any more secure than someone using public ip's inside their network with the proper access-lists?

Labels:
0 Helpful
7 Replies 7

vinodmorsa
Level 1
Level 1

‎03-01-2004 01:55 PM

One-to-One NAT public to prvate is safer than using public address with good acl's. With nat u will hde ur original IP. This will protect ur server from any type of attack. If u use a public IP , u will definitely have few ports or services open, which can be exploited.

0 Helpful

jdroland
Level 1
Level 1
In response to vinodmorsa

‎03-01-2004 02:11 PM

I'm afraid I have to slightly disagree. Comparing the two apples to apples public routed internall versus nat translated to private is virtually the same thing from a security standpoint. It's the acl's and other rules (fixup, etc.) that secure it. Nat translation while still leaving all ports opened is just as unsafe as a routed public wide opened.

vinodmorsa
Level 1
Level 1
In response to jdroland

‎03-01-2004 04:51 PM

I would agree with you, i missed out in mentioning that the right approch would be to have the acl's with NAT.

0 Helpful

sross35
Level 1
Level 1
In response to vinodmorsa

‎03-02-2004 07:42 AM

So reading the responses above, I think I would be correct in saying that a one-to-one NAT is no more secure than a public inside IP assuming that the same ports were locked down in both instances. Is this correct?

0 Helpful

jdroland
Level 1
Level 1
In response to sross35

‎03-02-2004 08:16 AM

Correctomundo.

0 Helpful

sross35
Level 1
Level 1
In response to jdroland

‎03-02-2004 10:32 AM

Thanks!

0 Helpful

jamey
Level 4
Level 4

‎03-02-2004 12:49 PM

I would add that although both approaches are about the same in terms of security, NAT does provide the ability to "hide" your internal IP layout. The less a would be attacker knows about your internal network, the better off you are. So I'd say the NAT approach is slightly more secure. Of course as the other poster stated, the most important thing is to have good ACLs, rules, filtering, etc. than anything else whichever approach you'd choose.

I know you didn't ask but I would also point out an additional benefit of NAT that is not security related is that if you ever switch ISPs, it is much easier to have to change only the firewall NAT one to one mappings than to have to change the legal IPs of all your hosts AND the firewall.

My $.02

0 Helpful
Customers Also Viewed These Support Documents