nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Mark Andrews <marka () isc org>
Date: Thu, 13 Jan 2011 14:02:22 +1100
In message <AANLkTikiXF_mbuo-osKPjSW98vn5_d5WZNUi_PL37sNG () mail gmail com>, William Herrin writes:
On Wed, Jan 12, 2011 at 12:16 PM, <Valdis.Kletnieks () vt edu> wrote:On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:In a client (rather than server) scenario, the picture is different. Depending on the specific "NAT" technology in use, the firewall may be incapable of selecting a target for unsolicited communications inbound from the public Internet. In fact, it may be theoretically impossible for it to do so. In those scenarios, the presence of NAT in the equation makes a large class of direct attacks on the interior host impractical, requiring the attacker to fall back on other methods like attempting to breach the firewall itself or indirectly polluting the responses to communication initiated by the internal host.Note that the presence of a firewall with a 'default deny' rule for inbou=ndpackets provides the same level of impracticality.Hi Valdis, There's actually a large difference between something that's impossible for a technology to do (even in theory), something that the technology has been programmed not to do and something that a technology is by default configured not to do.
Well ask the firewall vendor not to give you the knob to open it up completely. Note the CPE NAT boxes I've seen all have the ability to send anything that isn't being NAT'd to a internal box so it isn't like NAT boxes don't already have the flaw you are complaining about. Usually it's labeled as DMZ host or something similar. They also have the ability to send traffic for individual port to particular boxes on the inside without it being initiated from the inside. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Dave Pooser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jay Mitchell (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? Nathan Eisenberg (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Mark Andrews (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 13)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 14)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)