[134992] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jan 13 16:36:12 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <201101131621.22592.lowen@pari.edu>
Date: Thu, 13 Jan 2011 13:32:17 -0800
To: Lamar Owen <lowen@pari.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 13, 2011, at 1:21 PM, Lamar Owen wrote:
> On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:
>> That's simply not true. Every end user running NAT is running a =
stateful firewall with a default inbound deny.=20
>=20
> This is demonstrably not correct. Even in the case of dynamic =
overloaded NAT, at least on Cisco, there is no firewalling going on (if =
firewalling is defined as blocking something). It looks like there is, =
but that's an illusion, a sleight-of-hand, not reality. In the NAT order =
of operations in IOS at least you'll find NAT occurs before the routing =
decision does. Thus, if you change the address in the packet header, =
you change which routing table entry will be used to route that packet. =
It's the rewriting of the address that then causes the routing to send =
the packet in a different direction; in practice most of the time there =
is either no route or a null route to the inside global address or =
address block, but it doesn't have to be that way.=20
>=20
The rewriting is done by matching the packet against a state table.
No match, no rewrite, no forward.
If you have a state table and packets have to match the state table to =
get forwarded, that is, by definition, a stateful firewall.
> You could easily set up a NAT where the inside local addresses are on, =
say, GigabitEthernet0/0 and the inside global address(es) are on =
Null0.... or GigabitEthernet0/1 (where the honeynet or tarpit resides, =
perhaps?), or whatnot. Packets that don't match the NAT can just be =
routed elsewhere, not just to a null route, easily enough. The default =
destination for most cases happens to be a null route; this is certainly =
a good imitation of a deny.
The difference between drop, deny, and forward to null0 is a subtlety =
that doesn't have much to do with the outcome of what happens to the =
packet. In all cases, the packet is discarded.
The bottom line is that a default forward to null0 is a default deny. =
Yes, it can be overridden like most defaults. Yes, the mechanism for =
overriding
a default deny in an ACL and overriding a default forward to null0 in a =
state table may be in different parts of the configuration or require =
different commands, but, it doesn't change the fact that you have a =
stateful firewall of one form or another.
Owen
