quietly....

Jimmy Hess mysidia at gmail.com
Thu Feb 3 05:37:14 UTC 2011


On Wed, Feb 2, 2011 at 11:18 PM, Jay Ashworth <jra at baylink.com> wrote:
> Justify, yourself in turn, "small number".  My personal estimate of the
> number of NATted edge networks is well north of 75%, on a network count

You don't get to count all NAT'ed IPv4 edge networks the same.
Only the number of  NAT'ed edge networks that decide they don't
want to have normal connectivity for their IPs, even with IP address
space available to, and even after reading up on IPv6.

> Complexity of the configuration vastly increases the size of the
> attack surface: in a NATted edge network, *no packets can come in
> unless I explicitly configure for them*; there are any number of

Not necessarily true.  This is a case of  'wish it were secure',  but
can't prove it.  It is possible that a client on a NAT'ed network can
conspire with an intruder to defeat the NAT device,  and in various
cases NAT can be completely defeated by an outsider, without a
direct conspiracy.

Any device on the subnet  can spoof a  SYN packet from any other
device on the subnet.     The NAT device will now have a connection
entry, and the intruder can use this to circumvent the NAT. A good
stateful  firewall can prevent this and a few other similar shenanigans.

But if the NAT device does not have a true stateful firewall function
integrated, it is not nearly as secure  as it might at first appear.


> In a firewall, you are *fighting* the default "route this packet"
> design; in a NATgate, you have to consciously throw the packets
> over the moat.

It sounds like you have a lousy firewall. Decent stateful firewalls
deny all incoming traffic by default that does not go with an
outbound connection, until policies have been established.

It's possible you can make an erroneous access rule,  but you can
also make an erroneous port forward on a NAT device.

--
-JH




More information about the NANOG mailing list