[41679] in North American Network Operators' Group
RE: Where NAT disenfranchises the end-user ...
daemon@ATHENA.MIT.EDU (woody weaver)
Tue Sep 11 21:52:07 2001
Reply-To: <woody.weaver@callisma.com>
From: "woody weaver" <woody@callisma.com>
To: "'Scott Gifford'" <sgifford@tir.com>
Cc: "'NANOG (E-mail)'" <nanog@merit.edu>
Date: Tue, 11 Sep 2001 14:47:59 -0700
Message-ID: <C0882219C0B96D4ABB1106EF7DCA797556FE0A@serv001.all.callisma.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <C0882219C0B96D4ABB1106EF7DCA7975526D11@serv001.all.callisma.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Monday, September 10, 2001 10:30 AM, Scott Gifford wrote:
>I ask not to drag this discussion on, but because I use NAT for
>address conservation and security on a couple networks that I operate,
>and am curious if I'd be much better off with something different...
What is meant by NAT and firewall?
If NAT is limited to simply the act of remapping sockets, then it provides
little or no security. A source route that takes the packet to the NAT box
and then routes to the target host bypasses NAT security.
What I think is generally meant by (outgoing) NAT is
1) A state table is kept that maps outgoing IP flows to masqueraded values
2) Responses to entries in the table are re-mapped to original values and
routed inward
3) Responses not in the table are dropped.
It is step 3 that provides that stateful filter that provides security. 1
and 2, which comprise NAT, provide no security [except possibly information
concealment, which is generally trivial to penetrate].
The problem is that because a NAT box isn't a security device, per se, it
does not have the same level of verification (hence trust) as a formal
security device. Using a LinkSys NAT device for a home firewall is probably
appropriate -- the confidence in the trusted computing base should match the
value of the assets being protected. Using that same device for an
enterprise is probably not appropriate. If it were "a couple networks that
I operate", I'd go ahead and purchase a firewall product, perhaps a
Netscreen or something inexpensive. They *are* reviewed as formal security
devices, and I would have a much higher level of confidence that the system
meets its specifications, as rfc2828 puts it.
YMMV. IANAL, although I play a security professional on TV.
--
Director, Professional Services pager: 8779583393@skytel.net
Callisma voice: 510 450 9132
6400 Hollis St cell: 510 593 5849
Emeryville, CA 94608 email: woody.weaver@callisma.com
