[97201] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jun 4 15:01:42 2007

In-Reply-To: <E1HvHM7-0007vr-6F@mail.shankland.org>
Cc: NANOG list <nanog@nanog.org>
From: Owen DeLong <owen@delong.com>
Date: Mon, 4 Jun 2007 11:47:15 -0700
To: Jim Shankland <nanog@shankland.org>
Errors-To: owner-nanog@merit.edu



--Apple-Mail-6-812172768
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed


On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:

> Owen DeLong <owen@delong.com> writes:
>> There's no security gain from not having real IPs on machines.
>> Any belief that there is results from a lack of understanding.
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
Maybe because it _IS_ true.

> *No* security gain?  No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN?  Or to access a single, corporate Web site?
>
Correct.  There's nothing you get from NAT in that respect that you do
not get from good stateful inspection firewalls.  NONE whatsoever.

> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box?  When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.

That doesn't prove that NAT had anything to do with the security.
NAT implies stateful inspection.  I could conduct the exact same
experiment with a Linux box behind a stateful inspection firewall
with legitimate addresses and achieve the exact same result.

NAT did nothing for you.  Stateful inspection is where you got your
security.  I'm so tired of people who fail to understand that NAT has
nothing to do with security, because they forget that stateful  
inspection
is required in order to make NAT work.  However, NAT is not required
for stateful inspection to work.

Owen


--Apple-Mail-6-812172768
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGYzCCAxww
ggKFoAMCAQICEAEbWCDIgMNLAyc9zkogM9kwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MTIxODA0NTM1NloXDTA3MTIxODA0NTM1
NlowYjEPMA0GA1UEBBMGRGVMb25nMRMwEQYDVQQqEwpKYW1lcyBPd2VuMRowGAYDVQQDExFKYW1l
cyBPd2VuIERlTG9uZzEeMBwGCSqGSIb3DQEJARYPb3dlbkBkZWxvbmcuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvAfdDkoZPESgJS02Tr7Z/FoDJ3Yz2sGXnwYm3olMfMj73jr
awKh0X0PGZ57hFEaHMFKNw/JzSnsi3N+T9JDmadOEAw1VoUwDsIQnffqrHw+1OJzqXztVE7yYNtC
JyV4qcCUjVRITw4AVGO5eSB41YOz5XiHloT48S+A8ifkQQvnVvUlgTCXFdu1qGTSoGhOjLADXrmz
f4++jMMB+2KzjLL0JRwOlkV2Ja1+g3pOAP3/DrpFNJN+TD5/nZnp35wxBU+b86mHYFKF10yURBPa
MR4gHL7bEiPxSRX2tHgY9zdqQbnimskuVm+ISP9Gm0er57zaBs655D8b6rp2bhK/2QIDAQABo08w
TTAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4QgEBBAQDAgWgMBoGA1UdEQQTMBGBD293ZW5AZGVs
b25nLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAF2P0eXOwcOA2Rs2G780lTE/
AH/mZPUArN2isuNkcf621b19M4JxJRVqnzCpcA2InlZtFp0jk6HD4JMMt4yvoVwH3M4hhaP/OkxL
aFrA9oGilFnuvuUl3EQKs+L9wNMt/ZXj7xu6C25B3p6e1a0d94JjMkFIwu133xIDRCiRPv3cMIID
PzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu
ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp
bEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVw
jt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9I
BH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDww
OjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEz
ODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82
L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fW
xghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAwggMMAgEBMHYwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhABG1ggyIDDSwMnPc5KIDPZMAkGBSsO
AwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDYw
NDE4NDcxNlowIwYJKoZIhvcNAQkEMRYEFEm8cUq4rxYpBwr2FgQTPUHRlN/HMIGFBgkrBgEEAYI3
EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM
dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQARtYIMiA
w0sDJz3OSiAz2TCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIQARtYIMiAw0sDJz3OSiAz2TANBgkqhkiG9w0BAQEFAASCAQCbC6Of
3y5JvKH0/6y9pN+BHjciZiXRe/JJfDHqoLjG/siASRis8V1PX4fErg14jKaZn3Jc4stEBoWoM7bt
Jd+mksdh+UkPgOYaaXcP89DXD857RjEFGPPQZYCGaW5KqDLwDwG/Lcuguce/o20wkjF31m4L7uO2
nKV7neBSsxbCFXdgzkn2JO8CO5lhRruyIdil2yfripo7D95OhESgivqV4deUGHk92VyxeQRUwNDe
zkAcqXKfL18H5ljslKWCSEA5c7uLu3CZ1/jzunUVhxRZ4N1BXo6da582es1rSN5cTeJf5QJAAe+A
zSVCPCgG84Yyi7iVN83Im0mWJvsTfxJGAAAAAAAA

--Apple-Mail-6-812172768--
home help back first fref pref prev next nref lref last post