Is NAT can provide some kind of protection?

Jack Bates jbates at brightok.net
Wed Jan 12 14:18:56 CST 2011


On 1/12/2011 1:35 PM, Owen DeLong wrote:
> The corp IT guy is delusional. The solution to the routing disconnect
> is map+encap or tunnels. Many exploits now take advantage of these
> technologies to use a system compromised through point-click-pwn3d to
> provide a route into the rest of the network. If you allow outbound
> access to TCP/80, TCP/443, or TCP/22, then, it is trivial to create
> an inbound path to your network, NAT or no.
>

This presumes the inside network is already compromised. In such a case, 
a stateful/non-proxy firewall would also be subject to such a thing. 
This is not what PAT prevents that a stateful firewall doesn't.

> The argument everyone is making is that a stateful firewall without
> mangling the headers is just as secure (and just as insecure) as one
> with PAT.
>

Except that the routing isolation means that it is not just as secure. 
It has one extra vulnerability over NAT.

> Both can and are trivially compromised.
>

Agreed that there are still ways around them. Anyone relying on a single 
mechanism for security will often find their security to be inefficient.

> As to the PAT scenario only exposing a single port on a single host,
> not entirely accurate, either. I have seen errant mappings which
> exposed much more in a single mapping command on some systems.
>

On a standard port redirect, I'd be interested to hear the specifics. 
However, as my IT guy points out, he doesn't do port or 1-1 redirects 
through NAT.

> Then there are the NAT Traversal mechanisms which are necessary to
> make things function but can also be exploited.
>

Things don't function through his firewall. He likes breakage.

> The list of problems created by PAT goes on and on.
>

PAT creates a lot of issues. However, for some environments, what it 
breaks are perfectly acceptable. Utilizing PAT in home routers and 
facilities that have a more open use of technology, would be crippling 
the protocol needlessly.

> I've seen PAT bugs that exposed multiple hosts. This is false sense
> of security.
>

Specifics.

> Paraphrased: A bank vault with a screen door is more secure than a
> bank vault without a screen door.
>
> Pay no attention to the fact that the bank vault was, in this case,
> built with a skylight.

If you installed a skylight, that's your own fault. Nowhere have I said, 
PAT is the ultimate in security and forget everything else. I've said 
the opposite. PAT has it's uses and does provide certain safeguards. It 
is one small piece in a huge arsenal of security mechanisms implemented 
in a network. The entire edge firewall system is only a small piece in 
network security. If you strictly depend on the edge firewall for 
security, you may someday learn the error of doing so. Many companies have.


Jack




More information about the NANOG mailing list