Security gain from NAT (was: Re: Cool IPv6 Stuff)
admin at digibase.ca
Wed Jun 6 03:52:11 UTC 2007
On Monday 04 June 2007 18:06, Owen DeLong wrote:
> On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
> >> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> >>> Owen DeLong <owen at delong.com> writes:
> >>>> There's no security gain from not having real IPs on machines.
> >>>> Any belief that there is results from a lack of understanding.
> >>> This is one of those assertions that gets repeated so often people
> >>> are liable to start believing it's true :-).
> >> Maybe because it _IS_ true.
> >>> *No* security gain? No protection against port scans from
> >>> Bucharest?
> >>> No protection for a machine that is used in practice only on the
> >>> local, office LAN? Or to access a single, corporate Web site?
> >> Correct. There's nothing you get from NAT in that respect that
> >> you do
> >> not get from good stateful inspection firewalls. NONE whatsoever.
> > Sorry, Owen, but your argument is ridiculous. The original
> > statement was
> > "[t]here's no security gain from not having real IPs on machines". If
> > someone said, "there's no security gain from locking your doors",
> > would you
> > refute it by arguing that there's no security gain from locking
> > your doors
> > that you don't get from posting armed guards round the clock?
> Except that's not the argument. The argument would map better to:
> There's no security gain from having a screen door in front of your
> door with a lock and dead-bolt on it that you don't get from a door
> with a lock and dead-bolt on it.
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security. NAT/PAT is a screen door.
> Not having public addresses is a screen door. A stateful inspection
> firewall is a lock and deadbolt.
To add to that:
Need I remind those of us who see NAT as some sort of firewall?:
NAT is Network Address Translation, and is designed to be for only providing a
source of private IP addressing.. it wasn't designed to be a "protection" -
it's just a side effect that it does offers any protection at all.
People may get lucky because their NAT may check from which interface traffic
comes in on (which is a form of inspection, thus indicates a presense of a
firewall). But without any sort of packet inspection, someone could trick
your NAT into thinking a connection was open when it was not, thus opening a
connection to a system on your NAT (that is probably unfirewalled in itself).
Or another example: a third party finds out a system on your NAT has a
connection open to a host on the internet, so the third party wedges their
own foriged packets into the connection, and a NAT without inspection will
just foreward it to the internal host without batting an eye.
More information about the NANOG