[134868] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 12 14:42:45 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4D2DE6B0.2010308@brightok.net>
Date: Wed, 12 Jan 2011 11:35:42 -0800
To: Jack Bates <jbates@brightok.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 9:36 AM, Jack Bates wrote:
> On 1/12/2011 11:21 AM, George Bonser wrote:
>> PAT makes little sense to me for v6, but I suspect you are correct. =
In
>> addition, we are putting the "fire suit" on each host in addition to =
the
>> firewall. Kernel firewall rules on each host for the *nix boxen.
>>=20
>=20
> As my corp IT guy put it to me, PAT forces a routing disconnect =
between internal and external. There is no way to reach the hosts =
without the firewall performing it's NAT function. Given that the =
internal is exclusively PAT, the DMZ is public with stateful/proxy, this =
provides protection for the internal network while limiting the dmz =
exposure.
>=20
The corp IT guy is delusional. The solution to the routing disconnect is =
map+encap or tunnels. Many exploits now take advantage of these =
technologies to use a system compromised through point-click-pwn3d to =
provide a route into the rest of the network. If you allow outbound =
access to TCP/80,
TCP/443, or TCP/22, then, it is trivial to create an inbound path to =
your network, NAT or no.
> The argument everyone makes is that a stateful firewall defaults to =
deny. However, a single mistake prior to the deny allows traffic in. The =
only equivalent in a PAT scenario is to screw up port forwarding which =
would cause a single host to expose a single port unknowingly per =
mistake (which said port/host combo may not be vulnerable). In a =
stateful firewall, a screw up could expose all ports on a host or =
multiple hosts in a single mistake.
>=20
The argument everyone is making is that a stateful firewall without =
mangling the headers is just as secure (and just as insecure) as one =
with PAT.
Both can and are trivially compromised.
As to the PAT scenario only exposing a single port on a single host, not =
entirely accurate, either. I have seen errant mappings which
exposed much more in a single mapping command on some systems.
Then there are the NAT Traversal mechanisms which are necessary to make =
things function but can also be exploited.
The list of problems created by PAT goes on and on.
> Then there are the firewall software bugs. In PAT, such bugs don't =
suddenly expose all your hosts behind the firewall for direct =
communication from the outside world. In v6 stateful firewall, such a =
bug could allow circumvention of the entire firewall ruleset and the =
hosts would be directly addressable from the outside.
>=20
I've seen PAT bugs that exposed multiple hosts. This is false sense of =
security.
> PAT offers the smallest of security safeguards. However, many corp IT =
personnel feel more secure having that small safeguard in place along =
with the many other safeguards they deploy. In a corporate environment =
where they often love to break everything and anything, I don't blame =
them.
>=20
Paraphrased: A bank vault with a screen door is more secure than a bank =
vault without a screen door.
Pay no attention to the fact that the bank vault was, in this case, =
built with a skylight.
Owen
