|
|
|
|
|
|
by dfawcus
534 days ago
|
|
|
That is why many of us keep repeating that NAT is not a security mechanism. Punching through NAT, and most associated state tracking filters, is very easy. I've implemented such in a production corp environment, as a product to be sold. There is no magic here, it is all well understood technology by the practitioners. If you actually want to have packet filtering (a firewall) then deploy a firewall instance distinct from any NAT, and with appropriate rules. However that only really helps for traffic volume reduction, the actual security gain from a f/w per se is now minimal, as most attacks are over the top: HTTP/HTTPS, POP/IMAP etc. |
|
|
You can say that in general, network firewalls are not a security mechanism. They are at most a means to prevent brute-force attacks from outside of the network.