[170200] in North American Network Operators' Group
RE: misunderstanding scale
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Mon Mar 24 22:48:23 2014
From: "Naslund, Steve" <SNaslund@medline.com>
To: Owen DeLong <owen@delong.com>, "mark.tinka@seacom.mu"
<mark.tinka@seacom.mu>
Date: Tue, 25 Mar 2014 02:47:31 +0000
In-Reply-To: <74E5BAED-BB1C-438B-80AC-26549616C792@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Exactly right. In fact that is generous because the v6 host having a state=
ful firewall has a real protocol aware firewall (and often bundled IDS/IPS =
capability) not just a NAT to protect him. =20
The NAT provides almost no security once a single host behind the NAT is co=
mpromised and makes an outbound connection. Bang, instant VPN connection t=
o the internal network. A perimeter defense relying on NAT is a house of c=
ards that only needs one nick for the whole thing to come down. Lots and l=
ots of enterprises count on a hard perimeter and almost nothing behind it s=
o once I am in behind your NAT, you are unlikely to notice it until somethi=
ng real bad happens. That is the state of most enterprise network security=
today.
C'mon guys how many Botnets and DDoS attacks do we need to see coming from =
home computers that are almost all behind NATs to realize that NAT is not a=
security feature. For you service providers out there, how many of your r=
esidential customers behind your NAT do you think are compromised in some w=
ay.
If you can find a large enterprise that has not one piece of malware runnin=
g on a single workstation, I will be surprised. With so many BYODs and lap=
tops going in and out of your NAT perimeter there is no way you can assert =
that nothing behind your NAT is compromised. At least with v6 we can have =
a better idea of where a rogue connection is coming from. =20
Look at it this way. If I see an attack coming from behind your NAT, I'm g=
onna deny all traffic coming from your NAT block until you assure me you ha=
ve it fixed because I have no way of knowing which host it is coming from. =
Now your whole network is unreachable. If you have a compromised GUA host I=
can block only him. Better for both of us, no?
How about a single host spamming behind your NAT blocking your entire corpo=
rate public network from email services? Anyone ever see that one. Ipv6 G=
UAs allow us to use fly swatters instead of sledgehammers to deal with that=
.
Maybe GUAs will convince (scare) more enterprise users to actually treat th=
e internal network as an environment that needs to be secured as well. We =
can only hope.
Steven Naslund
>>Bzzzt... But thanks for playing.
>>An IPv6 host with a GUA behind a stateful firewall with default deny is e=
very bit as secure as an iPv4 host with an RFC-1918 address behind a NAT44 =
gateway.
>>Owen
