Security gain from NAT
Steven M. Bellovin
smb at cs.columbia.edu
Tue Jun 5 17:31:53 UTC 2007
On Mon, 04 Jun 2007 22:06:25 -0400
Daniel Senie <dts at senie.com> wrote:
> At 09:07 PM 6/4/2007, Jason Lewis wrote:
> >I figured SMB would chime in...but his research says it's not so
The traffic load on this list is rather high; I've had to flush most
of this and other threads....
> Give or take NAT boxes / firewalls that specifically have features to
> mess with the IP ID. The SonicWALL products have, for example, a
> checkbox that says: "Randomize IP ID".
That's relatively new, and possibly in response to my paper; as of when
I wrote it, I couldn't find any vendors that DTRT.
> Some vendors apparently have taken measures to ensure methods such as
> monitoring IP ID are less effective. The paper notes this, and the
> issues with doing this.
> So the "not so anonymous" statement above is really "not so
> anonymous, give or take the implementation of the firewall/NAT".
I suspect there are other information leaks, such as the RFC 1323
timestamps, TCP sequence numbers (for some platforms), port number
allocation, etc. Many of these are (or can be) randomized on some
platforms, but I don't know of any systematic analysis. I also wonder
if some popular web sites' cookies embed the IP address -- possibly
encrypted to them, so they can track where you are. I'm 100% that some
sites do that for authenticated connections.
(On the larger issue, I feel that typical NATs provide no security
benefit over typical stateful packet filters. Given other issues --
traceability of attacks, impediments to end-to-end secure connections,
the need for special-purpose things like STUN servers, etc. -- I could
make a good case that they're a net disadvantage. But I'm on the verge
of flushing this thread, so I may not see the responses....)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG