Friday, May 10, 2019

NATing vs Security Policy

I was reading a thread on here the other day and someone had mentioned, in regards to external vulnerability of a firewall, that you should not rely on NATing to replace security policy.

This confused me a bit because for example, if I NAT port 443 of a specific web server to be exposed to the public internet (Destination NAT), then NAT has essentially created a specific small hole through my firewall. The fact of doing this also "blocks" all other ports from being exposed by default (to said web server).

On our specific firewalls, I can configure this NAT rule to only NAT based on a specific source IP or region. If source doesn't match, traffic won't get forwarded to the web server.

What more can a Security Policy add to this?

I know nextgen firewalls can perform vulnerability and malware scanning on these security rules but I'm asking from just a networking vulnerability standpoint.

Thanks all!



No comments:

Post a Comment