nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Leen Besselink <leen () consolejunkie net>
Date: Sat, 15 Jan 2011 13:24:01 +0100
On 01/15/2011 02:01 AM, George Bonser wrote:
From: William Herrin Sent: Friday, January 14, 2011 4:11 PM To: nanog () nanog org Subject: Re: Is NAT can provide some kind of protection? On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong <owen () delong com> wrote:Ah, but, the point here is that NAT actually serves as an enabling technology for part of the attack he is describing.I watch the movies too and I hang in suspense as the protagonist waits for the bad guy to make a network connection and then activates the phlebotinum that backhacks his tubes. And I know there are some real-life examples where giving a hacker a large file to download has kept him connected to a modem long enough to get a phone trace. But I haven't read of a _nonfiction_ example where the dynamic opening in a stateful firewall (NAT or otherwise) has directly provided the needed opening for an _active_ attack by a third party. Can you cite one?The extent to which NAT is a security hazard in my experience is that it simply makes it harder to find a compromised machine. Someone might inform us that they are seeing suspicious traffic that matches a virus profile from an IP address but the NAT makes it difficult to determine the actual source of the traffic. In that case NAT isn't, in and of itself, the enabling mechanism, but it does offer the compromised host some additional time to do its malicious work while it is being tracked down and eliminated. It also adds more work for providers when someone wants to know who was responsible for certain traffic at certain times. This is particularly true of NAT devices that get their "outside" IP by DHCP. Now they have to search their records and sort out who had that IP at that time and then associate that with a specific customer. Then at the customer location, there might be several more devices (or a neighbor connected over an unsecured wireless) and at that point there is no telling where the traffic came from. So NAT itself isn't a security threat, but it sure gives a real security threat a lot of woodwork in which to hide. G
I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. And now you have no idea who had that IPv6-address at some point in time. The solution to that problem is ? I guess the only solution is to have the IPv6 equivalant of arpwatch to log the MAC-addresses/IPv6- address combinations ? Or is their an other solution I'm missing.
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 13)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 14)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Joel Jaeggli (Jan 15)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Marshall Eubanks (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Stephen Davis (Jan 15)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 16)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? David Barak (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)