Is NAT can provide some kind of protection?

Owen DeLong owen at delong.com
Wed Jan 12 19:35:42 UTC 2011


On Jan 12, 2011, at 9:36 AM, Jack Bates wrote:

> On 1/12/2011 11:21 AM, George Bonser wrote:
>> PAT makes little sense to me for v6, but I suspect you are correct.  In
>> addition, we are putting the "fire suit" on each host in addition to the
>> firewall. Kernel firewall rules on each host for the *nix boxen.
>> 
> 
> As my corp IT guy put it to me, PAT forces a routing disconnect between internal and external. There is no way to reach the hosts without the firewall performing it's NAT function. Given that the internal is exclusively PAT, the DMZ is public with stateful/proxy, this provides protection for the internal network while limiting the dmz exposure.
> 
The corp IT guy is delusional. The solution to the routing disconnect is map+encap or tunnels. Many exploits now take advantage of these technologies to use a system compromised through point-click-pwn3d to provide a route into the rest of the network. If you allow outbound access to TCP/80,
TCP/443, or TCP/22, then, it is trivial to create an inbound path to your network, NAT or no.

> The argument everyone makes is that a stateful firewall defaults to deny. However, a single mistake prior to the deny allows traffic in. The only equivalent in a PAT scenario is to screw up port forwarding which would cause a single host to expose a single port unknowingly per mistake (which said port/host combo may not be vulnerable). In a stateful firewall, a screw up could expose all ports on a host or multiple hosts in a single mistake.
> 
The argument everyone is making is that a stateful firewall without mangling the headers is just as secure (and just as insecure) as one with PAT.

Both can and are trivially compromised.

As to the PAT scenario only exposing a single port on a single host, not entirely accurate, either. I have seen errant mappings which
exposed much more in a single mapping command on some systems.

Then there are the NAT Traversal mechanisms which are necessary to make things function but can also be exploited.

The list of problems created by PAT goes on and on.

> Then there are the firewall software bugs. In PAT, such bugs don't suddenly expose all your hosts behind the firewall for direct communication from the outside world. In v6 stateful firewall, such a bug could allow circumvention of the entire firewall ruleset and the hosts would be directly addressable from the outside.
> 
I've seen PAT bugs that exposed multiple hosts. This is false sense of security.

> PAT offers the smallest of security safeguards. However, many corp IT personnel feel more secure having that small safeguard in place along with the many other safeguards they deploy. In a corporate environment where they often love to break everything and anything, I don't blame them.
> 
Paraphrased: A bank vault with a screen door is more secure than a bank vault without a screen door.

Pay no attention to the fact that the bank vault was, in this case, built with a skylight.

Owen





More information about the NANOG mailing list