How safe/good is NAT global static ip to an internal LAN ip? How does this hide/protect from hackers and port probers finding the true ip address of the network. Any documents on NAT security for networks would be grateful.
Security is a business of diligence, and the first thing to understand is that the best security practices are to keep all systems and networking devices patched, and only allow that traffic that is absolutly neccessary into your DMZ. Also, learn to read a lot of logs, and learn to understand the difference between reconnaissance, compromise attempts, and false positives.
With regards to costs to your business? Think of it this way, what if your network was compromised...how much would it cost your business? I get an average of 6000 hits a day of offending traffic, thats slight compared to financial institutions.
Anyway, there are many products that are free that will help your business in staying secure. With regards to NAT, NAT is just one component to secure your network, NAT works to hide your DMZ (or sometimes internal network...bad idea) private IP addressing from the outside. The normal security model is to have Internet/perimeter router that connects to a firewall's outside interface, and the firewall's inside interface then connects to security switch that you would VLAN to seperate your DMZ/'s. This is the simple model, and get much more complex and costly. It would be my recommendation to have this model as a minumum.
With regards to securing routers and servers a good start is to go here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...