Security Basics mailing list archives
RE: NAT external/Public IP
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Mon, 5 Nov 2007 09:50:54 -0800
However, we're getting off the subject. I'm still waiting for someone to explain how public addresses are any less secure than private addresses. To repeat myself: using public addresses for hosts in your LAN does *not* mean that those hosts automatically are publicly accessible.
You ask two separate and quite distinct questions. First, using private address ranges in your LAN, and providing PAT services at the perimeter for egressing traffic does provide a security benefit (I may be naïve of others). I also argue that the obscurity function is a useful part of a holistic and multi-layered approach to security. -- Assuming the use of a firewall or other stateful filter to perform the translation, PAT is a one-way function. While a firewall will allow _return_ traffic across a PAT'ed connection, new connections inbound to the private network host are not. For that either a static NAT plus a firewall rule is required, or a rule plus the use of publicly routable internet host addressing on private network hosts. (Or a really bad error in your firewall config. :-> ) PAT is one layer of a multi-layered scheme to protect private hosts from outside attack. -- Obfuscation of internal network structure and numbering schemes. A private network using publicly routable internet host addressing can be mapped from outside by a vigilant attacker by simply logging the source IP addresses of packets leaving the network. Other details can be gleaned from header fields like TTL or source port number, allowing rudimentary OS fingerprinting. Information about IP address ranges can be valuable for enumerating what hosts exist and of what type, and in what ranges. PAT eliminates the disclosure of these details. But even though address translation obscures information that an attacker might leverage, obscurity is not security. Security is not the purpose of address translation, and it should not be relied upon as such. But that's not an argument against its use. The privacy function of PAT does not improve the security of a host, but it does reduce the surface area open to attack, and that's valuable in the overall scheme of things. Secondly, you say "using public addresses for hosts in your LAN does *not* mean that those hosts automatically are publicly accessible." You are quite correct, but I'm not certain that's a position anyone argued. The original statement (made by Grant Donald) you responded to was this:
Depending on firewall capabilities (or lack of capabilities) ports may need to be opened inbound for certain applications to work (e.g.. ident & pptp). A horizontal scan of such a network could produce a wealth of knowledge, if that network does not support port address translation.
The poster may be confusing static one-to-one NAT with egress-oriented PAT. An attacker can identify NAT'ed mail servers with a TCP port 25 connect sweep across your public address face. That's useful knowledge, but available elsewhere (DNS MX records, for example), and an inherent part of offering public services like an internet mail server for your domain. It's also not mitigated by use of PAT, as PAT does not allow anonymous inbound connections - a function required for the service offered. Then again, he may mean something completely different :-> Best regards, - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer (530) 889-4222
Current thread:
- Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 04)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)
- RE: NAT external/Public IP Craig Wright (Nov 05)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)
- Re: NAT external/Public IP Michael Painter (Nov 07)
- RE: NAT external/Public IP Craig Wright (Nov 05)
- RE: NAT external/Public IP Dan Lynch (Nov 05)
- Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 06)
- <Possible follow-ups>
- Re: NAT external/Public IP krymson (Nov 09)
- RE: NAT external/Public IP Nick Vaernhoej (Nov 09)
- RE: NAT external/Public IP Craig Wright (Nov 09)
- Message not available
- RE: NAT external/Public IP Craig Wright (Nov 15)
- RE: NAT external/Public IP Nick Vaernhoej (Nov 09)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)