Security gain from NAT (was: Re: Cool IPv6 Stuff)
Edward B. DREGER
eddy+public+spam at noc.everquick.net
Tue Jun 5 00:25:28 UTC 2007
DS> Date: Mon, 4 Jun 2007 16:27:14 -0700
DS> From: David Schwartz
[ snipped throughout ]
DS> I can give you the root password to a Linux machine running telnetd
DS> and sshd. If it's behind NAT/PAT, you will not get into it. Period.
DS> I can give you the administrator password to a Windows machine with
DS> file sharing wide open. If it's behind NAT/PAT, you will not get
DS> into it. Period.
I can do the same without NAT/PAT. Period. The benefits are from
"disallow new inbound by default", *not* address muxing.
N + S = true
!N + S = true
N + !S = invalid state (can't happen)
!N + !S = false
Note carefully how one can simplify the truth table to
S = true
!S = invalid / false
A "true" outcome depends on the presence of "S". It is independent of
DS> The only ways into these machines would be if the NAT/PAT device
DS> were misconfigured, another machine on the secure network were
DS> compromised, or another gateway into the secure network was set up.
DS> Guess what? All of these things would defeat a stateful inspection
DS> firewall as well.
Red herring and straw man. The argument is: "Does NAT/PAT address-
hiding provide special benefit due to the fact that IP addresses are
being muxed?" See above truth table.
DS> A large class of security vulnerabilities require the attacker to
DS> reach out to the machine first, and NAT/PAT stops those attacks
No. Stateful filtering stops those attacks completely. NAT/PAT works
merely by its automatic inclusion of stateful filtering, and _ipso
facto_ does nothing. See above truth table.
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses:
davidc at brics.com -*- jfconmaapaq at intc.net -*- sam at everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.
More information about the NANOG