mh (RE: OMB: IPv6 by June 2008)
Fred Baker
fred at cisco.com
Fri Jul 8 17:34:02 UTC 2005
On Jul 8, 2005, at 9:49 AM, Jay R. Ashworth wrote:
> A machine behind a NAT box simply is not visible to the outside world,
> except for the protocols you tunnel to it, if any. This *has* to
> vastly reduce it's attack exposure.
It is true that the exposure is reduced, just as it is with a stateful
firewall. The technical term for this is "security by obscurity". Being
obscure, however, is not the same as being invisible or being
protected. It just means that you're a little harder to hit. When a NAT
sets up an association between an "inside" and "outside" address+port
pair, that constitutes a bridge between the inside device and the
outside world. There are ample attacks that are perpetrated through
that association.
A NAT, in that context, is a stateful firewall that changes the
addresses, which means that the end station cannot use IPSEC to ensure
that it is still talking with the same system on the outside. It is
able to use TLS, SSH, etc as transport layer solutions, but those are
subject to attacks on TCP such as RST attacks, data insertion,
acknowledge hacking, and so on, and SSH also has a windowing problem
(on top of TCP's window, SSH has its own window, and in large
delay*bandwidth product situations SSH's window is a performance
limit). In other words, a NAT is a man-in-the-middle attack, or is a
device that forces the end user to expose himself to man-in-the-middle
attacks. A true stateful firewall that allows IPSEC end to end doesn't
expose the user to those attacks.
More information about the NANOG
mailing list