nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: William Herrin <bill () herrin us>
Date: Thu, 13 Jan 2011 20:48:40 -0500
On Wed, Jan 12, 2011 at 10:02 PM, Mark Andrews <marka () isc org> wrote:
In message <AANLkTikiXF_mbuo-osKPjSW98vn5_d5WZNUi_PL37sNG () mail gmail com>, William Herrin writes:There's actually a large difference between something that's impossible for a technology to do (even in theory), something that the technology has been programmed not to do and something that a technology is by default configured not to do.Well ask the firewall vendor not to give you the knob to open it up completely.
Hi Mark, Why would I do that? I still have toes left; I *want* to be able to shoot myself in the foot. Still, you do follow the practical difference between can't, programmed not to and configured not to, right? Can't is 0% chance of a breach on that vector. The others are varying small percentages with "configured" the highest of the bunch.
Note the CPE NAT boxes I've seen all have the ability to send anything that isn't being NAT'd to a internal box so it isn't like NAT boxes don't already have the flaw you are complaining about. Usually it's labeled as DMZ host or something similar.
Fair enough. Implementations that can't target -something- for unsolicited inbound packets have gotten rare. The core point remains: a hacker trying to push packets at an arbitrary host behind a NAT firewall has to not only find flaws in the filtering rules, he also has to convince the firewall to send the packet to the "right" host. This is more difficult. The fact that the firewall doesn't automatically send the packet to the right host once the filtering flaw is discovered adds an extra layer of security. Practically speaking, the hacker will have better luck trying to corrupt data actually solicited by interior hosts that the difficulty getting the box to send unsolicited packets to the host the hacker wants to attack puts and end to the whole attack vector. On Thu, Jan 13, 2011 at 4:21 PM, Lamar Owen <lowen () pari edu> wrote:
On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny.This is demonstrably not correct.
Hi Lamar, I have to side with Owen on this one. When a packet arrives at the external interface of a NAT device, it's looked up in the NAT state table. If no matching state is found, the packet is discarded. However it came about, that describes a firewall and it is stateful. Even if you route the packets somewhere instead of discarding them, you've removed them from the data streams associated with the individual interior hosts that present on the same exterior address. Hence, a firewall. There's no such thing as a pure router any more. As blurry as the line has gotten it can be attractive to think of selectively acting on packets with the same IP address pairs as a routing function, but it's really not... and where the function is to divert undesired packets from the hosts that don't want them (or the inverse -- divert desired packets to the hosts that do want them), that's a firewall. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Dave Pooser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jay Mitchell (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? Nathan Eisenberg (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Mark Andrews (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 13)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 14)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)