mysidia at gmail.com
Wed Feb 2 23:37:14 CST 2011
On Wed, Feb 2, 2011 at 11:18 PM, Jay Ashworth <jra at baylink.com> wrote:
> Justify, yourself in turn, "small number". My personal estimate of the
> number of NATted edge networks is well north of 75%, on a network count
You don't get to count all NAT'ed IPv4 edge networks the same.
Only the number of NAT'ed edge networks that decide they don't
want to have normal connectivity for their IPs, even with IP address
space available to, and even after reading up on IPv6.
> Complexity of the configuration vastly increases the size of the
> attack surface: in a NATted edge network, *no packets can come in
> unless I explicitly configure for them*; there are any number of
Not necessarily true. This is a case of 'wish it were secure', but
can't prove it. It is possible that a client on a NAT'ed network can
conspire with an intruder to defeat the NAT device, and in various
cases NAT can be completely defeated by an outsider, without a
Any device on the subnet can spoof a SYN packet from any other
device on the subnet. The NAT device will now have a connection
entry, and the intruder can use this to circumvent the NAT. A good
stateful firewall can prevent this and a few other similar shenanigans.
But if the NAT device does not have a true stateful firewall function
integrated, it is not nearly as secure as it might at first appear.
> In a firewall, you are *fighting* the default "route this packet"
> design; in a NATgate, you have to consciously throw the packets
> over the moat.
It sounds like you have a lousy firewall. Decent stateful firewalls
deny all incoming traffic by default that does not go with an
outbound connection, until policies have been established.
It's possible you can make an erroneous access rule, but you can
also make an erroneous port forward on a NAT device.
More information about the NANOG