I was reading a thread on here the other day and someone had mentioned, in regards to external vulnerability of a firewall, that you should not rely on NATing to replace security policy.
This confused me a bit because for example, if I NAT port 443 of a specific web server to be exposed to the public internet (Destination NAT), then NAT has essentially created a specific small hole through my firewall. The fact of doing this also "blocks" all other ports from being exposed by default (to said web server).
On our specific firewalls, I can configure this NAT rule to only NAT based on a specific source IP or region. If source doesn't match, traffic won't get forwarded to the web server.
What more can a Security Policy add to this?
I know nextgen firewalls can perform vulnerability and malware scanning on these security rules but I'm asking from just a networking vulnerability standpoint.
Thanks all!
No comments:
Post a Comment