Ok; let's have the "Does DNAT contribute to Security" argument one more time...

• Previous message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Next message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 14, 2011 at 2:55 PM, Jay Ashworth <jra at baylink.com> wrote:

> The basic assertion made by proponents of this theory, when analyzed,
> amounts to "the probability that a firewall between a publicly routable
> internal network and the internet will fail in such a fashion as to pass
> packets addressed to internal machines is of the same close order as the
> probability that a DNAT router will fail in such a fashion as to allow
> people outside it to address packets to *arbitrary* internal machine IP
> addresses (assuming they have any way to determine what those are)."
[snip]

There is really no sound argument made that the probability is
inherently any different.
When we are referring to security devices failing to do what they are
supposed to do,
by definition,  the correct level of protection has been lost,  and
you have a serious
problem if this happens,  regardless of whether your firewall is a NAT
device or not.

What will be most important is you have solid layers of defense behind
the firewall,
such as host security,  IDS units,  monitoring, and scanning regimes
to detect the failure
of the firewall function.

The security appliance has failed, and all bets may be off.
It should be noted, that  "detecting"  a failed simple firewall with a
straight port scan
is a much simpler more easily automatable process than detecting a
failed 1:many
NAT firewall.

The ease of detecting the problem lowers the chance that you have a problem.


The potential security failure modes of a 1:many NAT firewall are much
more complicated
than "simply pass packets it's not supposed to pass";   the quirks of
the flaw mean that
with a NAT firewall, it is likely the failure of the firewall function
will go undetected by the
security admin,  resulting in a situation where you have an insidious problem...

that is, a problem that is not obvious,  but definitely exploitable to
a determined attacker.


Failure modes such as a "an intruder compromised the firewall"  and
injected a trojanned
firmware  result in equal risks regardless of whether NAT is implemented or not.


--
-JH

• Previous message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Next message (by thread): Ok; let's have the "Does DNAT contribute to Security" argument one more time...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]