nanog mailing list archives

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

From: Matthew Palmer <mpalmer () hezmatt org>
Date: Tue, 5 Jun 2007 10:02:14 +1000


On Mon, Jun 04, 2007 at 04:27:14PM -0700, David Schwartz wrote:

I posit that a screen door does not provide any security. A lock and
deadbolt provide some security.  NAT/PAT is a screen door.
Not having public addresses is a screen door.  A stateful inspection
firewall is a lock and deadbolt.


This is a fine piece of rhetoric, but it's manifestly false and seriously
misleading.

I have a cluster of Windows machines at my store with no networking security
at all. They're behind NAT/PAT and nothing else.


Can you give us technical details about how you're doing NAT/PAT without any
form of stateful packet inspection?  I'm sure we'd all be most interested.

If it turns out that you are, in fact, using stateful inspection, then
you've got that lock and deadbolt installed, but haven't noticed it behind
the screen door.

I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.

I can give you the administrator password to a Windows machine with file
sharing wide open. If it's behind NAT/PAT, you will not get into it. Period.

The only ways into these machines would be if the NAT/PAT device were
misconfigured, another machine on the secure network were compromised, or
another gateway into the secure network was set up. Guess what? All of these
things would defeat a stateful inspection firewall as well.


Which means that -- tada! -- NAT/PAT isn't giving you anything that the
stateful inspection firewall isn't.

Are there things most stateful inspection firewalls can do that NAT/PAT does
not do? Definitely. Are those things valuable and in some cases vital?
Definitely. So why lie and distory what NAT/PAT actually does do? A large
class of security vulnerabilities require the attacker to reach out to the
machine first, and NAT/PAT stops those attacks completely.


As does stateful inspection.

Duck season!

- Matt

-- 
when SuSE are doing better than you at publishing the tools they use, it's a
hint that maybe you suck.
                -- Andrew Suffield, debian-devel

Current thread:

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- - - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
    - Re: Security gain from NAT Jason Lewis (Jun 04)
    - Re: Security gain from NAT Daniel Senie (Jun 04)
    - Re: Security gain from NAT Steven M. Bellovin (Jun 05)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 05)
    - Re: Security gain from NAT Jeff McAdams (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Perry Lorier (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) James Hess (Jun 05)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) michael.dillon (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nathan Ward (Jun 05)

(Thread continues...)