back to article Here you go, cloudy admins: Google emits NATty odds 'n' sods

Google has released another handful of networking features for its cloud, including Cloud NAT, which lets devs build cloud-based services that do not have public IP addresses. “With the beta release of Cloud NAT, our new Google-managed Network Address Translation service, you can provision your application instances without …

  1. K

    Still amazes me how oblivious/stupid some companies are

    They believing NAT provides security and allow unfettered outbound routing. It's a standard practise in a lot of "Tech" companies that should know better! A lot of breaches occur because an intruder manages to open a reverse shell, rummage around, then exfiltrate the juicy data.

    Security Recipe 101 - Don't route 0.0.0.0/0, Mix in some whitelists for IP and Ports, apply a dash of whitelisting to both inbound and outbound traffic, it makes that breach/exfiltration 100x more difficult. slap in a pinch of IPS and with a drop of Deep Packet Inspection, then it gets 1000x more potent!

    It's not rocket science.. but it gets ignored, especially by companies that promote "Cloud" first - I can name at least 2 FTSE 100 companies that do this!

    1. Lee D Silver badge

      Re: Still amazes me how oblivious/stupid some companies are

      Once they're inside, how they get the data out is really a secondary concern. NAT isn't going to help them or hinder them.

      But a default-allow on outbound packets is the silly thing. Possibly acceptable for a home machine, certainly not for any major service.

      1. K

        Re: Still amazes me how oblivious/stupid some companies are

        I wasn't clear on my point - NAT gateways a thing of yesteryear when it comes to security, by providing, it encourages companies to be lazy as it "speeds up delivery"! Where If they were forced to use proper Firewalls, then they have no excuse for adopting best practise security hygiene.

        Also, I'd beg to differ on hit makes no difference. If they get entry via a malware, then make a lateral movement to a server, they suddenly find their ability to operate is impaired. It's about building enough obstacles and complexity to make it not worth the effort...

  2. Chris Hills

    Still using IPv4?

    You don't need NAT, you need a FIREWALL.

  3. o p

    only now?

    But how was it possible to use anything on gcp before these nat gw? Was it like Ec2 legacy?? No vpc, public ip addresses everywhere?? Looks like they are in 2005..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like