[134893] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Jeff Kell)
Wed Jan 12 16:10:00 2011
Date: Wed, 12 Jan 2011 15:58:56 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <EAB12B94-A3AB-474F-9BA9-48B3DF0DF1AD@delong.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> Try this at home, with/without NAT:
>>
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>>
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Wrong.
> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
> Yep... Same results as NAT.
Now let that laptop (or another one on the home subnet) show up with
Bridging or Internet Connection Sharing enabled with wired/wireless
connections and see what you get. Still maybe OK if it's the "host"
firewall, and it's turned on, and it's not domain-joined with the local
subnet allowed, etc., but that was post-SP2 and assumes some malware [or
the user] hasn't turned it off.
NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof
RFC1918 destinations, assuming they get routed all the way to the
endpoint... but that's a bigger "if" than a public address)
"Perfect stateful firewall with perfect default inbound deny and no
other variables thrown in the mix" and yes, but it's breakable in
contrast to the NAT+RFC1918 case.
There is something to be said for "unreachable" (i.e., "not in your
forwarding table") -- else the VPN / VRF / MPLS / etc folks wouldn't
have a leg to stand on :-)
With that said, this isn't a one-size-fits-all, everybody's perfect
solution. We've covered the gamut from home CPE to server farms here,
with the original question being about a DMZ case. They are however
legitimate security layers applied to certain cloves of this particular
bulb of garlic (a more appropriate model than the homogeneous "onion") :-)
Jeff
