Where NAT disenfranchises the end-user ...

woody weaver woody at callisma.com
Tue Sep 11 21:47:59 UTC 2001 

On Monday, September 10, 2001 10:30 AM, Scott Gifford wrote:

>I ask not to drag this discussion on, but because I use NAT for
>address conservation and security on a couple networks that I operate,
>and am curious if I'd be much better off with something different...

What is meant by NAT and firewall?

If NAT is limited to simply the act of remapping sockets, then it provides
little or no security.  A source route that takes the packet to the NAT box
and then routes to the target host bypasses NAT security.

What I think is generally meant by (outgoing) NAT is

1) A state table is kept that maps outgoing IP flows to masqueraded values
2) Responses to entries in the table are re-mapped to original values and
routed inward
3) Responses not in the table are dropped.

It is step 3 that provides that stateful filter that provides security.  1
and 2, which comprise NAT, provide no security [except possibly information
concealment, which is generally trivial to penetrate].

The problem is that because a NAT box isn't a security device, per se, it
does not have the same level of verification (hence trust) as a formal
security device.  Using a LinkSys NAT device for a home firewall is probably
appropriate -- the confidence in the trusted computing base should match the
value of the assets being protected.  Using that same device for an
enterprise is probably not appropriate.  If it were "a couple networks that
I operate", I'd go ahead and purchase a firewall product, perhaps a
Netscreen or something inexpensive.  They *are* reviewed as formal security
devices, and I would have a much higher level of confidence that the system
meets its specifications, as rfc2828 puts it.

YMMV.  IANAL, although I play a security professional on TV.

--
Director, Professional Services  pager: 8779583393 at skytel.net
Callisma                         voice: 510 450 9132
6400 Hollis St                   cell:  510 593 5849
Emeryville, CA 94608             email: woody.weaver at callisma.com

More information about the NANOG mailing list