[97263] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Jeff McAdams)
Tue Jun 5 08:14:31 2007
Date: Tue, 05 Jun 2007 08:13:24 -0400
From: Jeff McAdams <jeffm@iglou.com>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <MDEHLPKNGKAHNMBLJOLKMEGHEFAC.davids@webmaster.com>
Errors-To: owner-nanog@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDED43F37AA7F60F4B6146887
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
David Schwartz wrote:
>> Just because it's behind NAT, does not mean it's unreahcable from the
> internet:
> Okay, so exactly how many times do you think we have to say in this thr=
ead
> that by "NAT/PAT", we mean NAT/PAT as typically implemented in the very=
> cheapest routers in their default configuration?
And my $50 Linksys has a "DMZ host" configuration item, as well as
configurable port range forwarding entries.
1: "Gee, I want to run this p2p app, and it doesn't work."
2: "Go to http://192.168.1.1 and enter 192.168.1.100 into the DMZ Host"
1: "Great, it works now!"
>> I can do the same without NAT/PAT. Period. The benefits are from
>> "disallow new inbound by default", *not* address muxing.
> That you can do something without NAT/PAT tells you nothing about what
> NAT/PAT does. Why state an uncontested unrelated point nobody disagrees=
with
> when there is an actual live disagreement about what security NAT/PAT d=
oes
> or doesn't provide? (Hint: NAT/PAT, as discussed here, includes "disall=
ow
> new inbound by default").
Because it was stated the NAT/PAT provides security, and it doesn't.
The DMZ host above is still NAT'ed (and the configurable port forwarding
ranges are still PAT'ed), but the security "provided by NAT" just went
out the window.
>> Which means that -- tada! -- NAT/PAT isn't giving you anything that th=
e
>> stateful inspection firewall isn't.
> That's wonderful, but that's not even remotely respondive to what I'm
> saying. I'm responding to Owen's claim that NAT/PAT doesn't provide any=
> security, not that it doesn't provide you any security that a stateful
> inspection firewall doesn't or can't.
But it is correct. Just mangling the addresses in the headers doesn't
actually stop anything from getting through, it just means it gets
through mangled. The security comes from SI and dropping packets that
don't have an active session established from inside, or related.
>> In order to make (dynamic) NAT work you need to implement SI- that's w=
hat
>> protects you. What does NAT get you above and beyond the SI you have
>> already imeplmented?
> What does a car get you above and beyond the engine, transmission, star=
ter,
> and so on? It gets you all those things in one convenient package that =
you
> just buy, start, and drive. NAT provides all the advantages its compone=
nt
> parts provide. Really.
And in IPv6-land, it will be trivial to build consumer level IPv6
firewalls that has a default of dropping everything inbound, which is
what the SI of a dynamic NAT gives you. Exactly the same level of
security and a whole lot less breakage.
--=20
Jeff McAdams
"They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety."
-- Benjamin Franklin
--------------enigDED43F37AA7F60F4B6146887
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGZVNoXkUmzpmSrfwRAvSsAJkBNWxVObbMMQ/HAtgk3KpH5oAEeACg4bmc
RJdrONuWNdZqvTt8cEnPq8E=
=omwG
-----END PGP SIGNATURE-----
--------------enigDED43F37AA7F60F4B6146887--
