With PAT private IP addresses are hidden from the outside world. This basically
makes the job of hacking into a system more difficult, because the original
host's IP address and source port is unknown.
Depending on firewall capabilities (or lack of capabilities) ports may need to
be opened inbound for certain applications to work (e.g.. ident & pptp). A
horizontal scan of such a network could produce a wealth of knowledge, if that
network does not support port address translation.
The PCI body cannot dictate to you which firewall to use, neither can they
forbid you from opening specific justified ports into your network. What they
can do is insist that you use network address translation, only an additional
hurdle, perhaps just enough to deter a random attacker.
Regards
-Grant
________________________________
From: listbounce@securityfocus.com on behalf of Ansgar -59cobalt- Wiechers
Sent: Mon 2007/10/29 05:58 PM
To: security-basics@securityfocus.com
Subject: Re: NAT external/Public IP
On 2007-10-29 Grant Donald wrote:
There's a real security benefit in using PAT for internet access from
staff PC's. Any alternative is most definitely less secure.
I keep seeing this claim being made. Yet I fail to see anyone giving
evidence to support it.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
DISCLAIMER: This email and any files transmitted with it are confidential to
DataCash Group plc and its group companies. It is intended only for the person
to whom it is addressed. If you have received this email in error, please
forward it to info@datacash.com with the subject line "Received in Error". If
you are not the intended recipient you must not use, disclose, copy, print,
distribute or rely on this email or any of its transmitted files.
