Arguing against using public IP space

Sun Nov 13 21:03:02 UTC 2011

Hey.

On 14/11/2011, Jimmy Hess <mysidia at gmail.com> wrote:
> In other words, your use of RFC1918 address space alone does not
> create security.

I had this crazy idea that somewhere in the rfcs was a "should" that
manufacturers block private address space (i.e. hard coded) but it's
not (in fact the opposite).
Obviously there's shoulds for nocs and isps.
Regardless, you're exactly correct.

>   Your RFC1918 network actually _does_  need
> isolation  separate and apart from the address space,  for you to have
> reliable security,  you still need a firewall,  proxy, or NAT device
> of some form,

Pardon me but that's not axiomatic.
This is where the flames come right?

Between me and you there's X machines that route packets (and have
layer four services - yes I'm a TCP/IP model guy).
There's no separate firewall machines, no security postured proxies, no NATting.
These routers pass packets happily and don't influence my security or
the security of the other routers at all.
Obviously there are plenty of other critical machines that don't have
proxies or NATting (DNS).

Pertinently, they are publicly addressable yet don't have security
issues resulting from not having intermediate firewalls or proxies or
NAT.
The only issues they do have are what all endpoint machines face -
poor application (protocol) design (lack of encryption and so on),
poor administration, bugs.

Of those three, the methodology most readily associated to security is
firewalling (packet filtering).

A packet addressed to an endpoint that doesn't serve anything or have
a client listening will be ignered (whatever) as a matter of course.
Firewall or no firewall.
If I have a client application open on a port and get incoming from an
unsolicited IP then again it will be ignored as a matter of course.
Incoming to bogus ports are of course dropped (whatever). Firewall or
no firewall.
If I do have a port mapped to a service (serving not clienting) then
I'm open for business.

That's fundamental to TCP/IP and secure.
All other security considerations are appropriately handled at layer four.
The only reason we firewall (packet filter) is to provide access
control (for whatever reason).
Access control is a good enough reason to have something called a
firewall but everything else is a failure in design.
Again though, access control is a failure at protocol design (hence
DNS and BGP issues). Firewalling here is a kludge.

The only issue that depends on firewalling is ... DoS to preserve
bandwidth and that's not an end in and of itself.
I posit to you that in the current state of affairs, firewalling a
host or network is incredibly useful but entirely superfluous to
defending a machine.

I think you'd be hard pressed to find any convincing reason to suggest
that proxies  are any more useful (given good layer four design) from
a security perspective.

NAT?
No.
Fundamentally, it's not required or every machine that was publicly
addressable would have a NAT machine shoved in front of it and another
one shoved in front of that ...
Prima facie examples are every publicly addressable machine on the internet.
If there was a reason other than address space management then our
critical infrastructure would be NATted. The history of NAT tells me
I'm right.

> ... you still need ...
> ... the private network isolated from the public one ...

No.

I apologize in advance if this is too pedestrian (you might know this
but not agree with it) but I want to make a point:
http://en.wikipedia.org/wiki/End-to-end_connectivity
I've got homework to do (read some of that stuff and re-evaluate my
position) but NAT has caused nothing but trouble for security
practioners and allowed developers to get away with whatever they can
...
NAT saved us ... or at least all the moms and dads who don't have good
product or good administration.

> ... you still need ...
> ... the private network isolated from the public one ...

If this were true then IPv6 was fail.
Apart from any push to bring NAT along for the ride, we have a newer
IP with the deliberate choice made to make every machine publicly
addressable ... and to turn every NAT box into a router only ... and
let them route packets (like every other intermediate router) freeing
up hosts ... to do host security.
To me that was a breath of very fresh air.

The only reason to be concerned about this is vendors who make bad
choices and for that there's always other vendors. :]

> --
> -JH
>
>

Best wishes.