Is NAT can provide some kind of protection?

Jack Bates jbates at brightok.net
Wed Jan 12 17:36:48 UTC 2011


On 1/12/2011 11:21 AM, George Bonser wrote:
> PAT makes little sense to me for v6, but I suspect you are correct.  In
> addition, we are putting the "fire suit" on each host in addition to the
> firewall. Kernel firewall rules on each host for the *nix boxen.
>

As my corp IT guy put it to me, PAT forces a routing disconnect between 
internal and external. There is no way to reach the hosts without the 
firewall performing it's NAT function. Given that the internal is 
exclusively PAT, the DMZ is public with stateful/proxy, this provides 
protection for the internal network while limiting the dmz exposure.

The argument everyone makes is that a stateful firewall defaults to 
deny. However, a single mistake prior to the deny allows traffic in. The 
only equivalent in a PAT scenario is to screw up port forwarding which 
would cause a single host to expose a single port unknowingly per 
mistake (which said port/host combo may not be vulnerable). In a 
stateful firewall, a screw up could expose all ports on a host or 
multiple hosts in a single mistake.

Then there are the firewall software bugs. In PAT, such bugs don't 
suddenly expose all your hosts behind the firewall for direct 
communication from the outside world. In v6 stateful firewall, such a 
bug could allow circumvention of the entire firewall ruleset and the 
hosts would be directly addressable from the outside.

PAT offers the smallest of security safeguards. However, many corp IT 
personnel feel more secure having that small safeguard in place along 
with the many other safeguards they deploy. In a corporate environment 
where they often love to break everything and anything, I don't blame them.

Then we go to the educational sector, where the admins often prefer as 
much openness as possible. In their case, they will prefer to do away 
with PAT.


Jack




More information about the NANOG mailing list