[134889] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 12 15:59:27 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4D2E0B77.9060504@ispalliance.net>
Date: Wed, 12 Jan 2011 12:50:28 -0800
To: Scott Helms <khelms@ispalliance.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 12, 2011, at 12:13 PM, Scott Helms wrote:
> Few home users have a stateful firewall configured and AFAIK none of =
the consumer models come with a good default set of rules much less a =
drop all unknown. For end users NAT is and will likely to continue to =
be the most significant and effective front line security they have. =
Home router
That's simply not true. Every end user running NAT is running a stateful =
firewall with a default inbound deny.=20
It then takes the extra step of mangling the packet header. This header =
mangling step is unnecessary in IPv6 and is not part of the
security mechanism.
Unfortunately, because these two features have been bundled for so long =
in IPv4, many people, apparently yourself included, don't
see that what most people call a "NAT" box is actually a =
stateful-inspection+NAT box doing both steps.
> manufacturers have very limited budgets for training or support for =
home end users so the approach is likely to remain the least expensive =
thing that produces the fewest inbound support calls. If the question =
is whether NAT was designed to be a security level then I agree your =
stance and I'd also agree that correctly configured firewalls do a =
better job at security. Where I disagree is your position that there is =
no extra security inherent in the default NAT behavior. Until someone =
makes an effort to create either a DMZ entry or starts doing port =
forwarding all (AFAIK) of the common routers will drop packets that they =
don't know where to forward them.
>=20
And there's no reason they can't function exactly that way in IPv6 =
without mangling the packet header.
> Is this a tenuous and accidental security level based on current =
defaults in cheap gear? Of course, but given how normal users behave =
until routers can automagically configure firewall settings in a safe =
(i.e. not UPNP) manner I don't see things changing.
>=20
Actually, even if it's deliberate, the point here is that it's a =
three-step process:
1. State table update/match
2. Mangle packet header
3. Forward packet
In IPv6, we can discard step 2 without changing the security provided by =
step 1 and improve the functionality of step 3.
Owen
> On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
>>=20
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>=20
>>> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong<owen@delong.com> =
wrote:
>>>=20
>>>> No, NAT doesn't provide additional security. The stateful =
inspection that
>>>> NAT cannot operate without provides the security. Take away the
>>>> address mangling and the stateful inspection still provides the =
same
>>>> level of security.
>>>>=20
>>> There is a least one situation where NAT *does* provide a small =
amount of
>>> necessary security.
>>>=20
>>> Try this at home, with/without NAT:
>>>=20
>>> 1. Buy a new PC with Windows installed
>>> 2. Install all security patches needed since the OS was installed
>>>=20
>>> Without NAT, you're unpatched PC will get infected in less than 1 =
minute.
>>>=20
>> Wrong.
>>=20
>> Repeat the experiment with stateful firewall with default inbound =
deny and no NAT.
>>=20
>> Yep... Same results as NAT.
>>=20
>> NAT !=3D security. Stateful inspection =3D some security.
>>=20
>> Next!!
>>=20
>> Owen
>>=20
>>=20
>>=20
>=20
>=20
> --=20
> Scott Helms
> Vice President of Technology
> ISP Alliance, Inc. DBA ZCorum
> (678) 507-5000
> --------------------------------
> Looking for hand-selected news, views and
> tips for independent broadband providers?
>=20
> Follow us on Twitter! http://twitter.com/ZCorum
> --------------------------------
>=20
