Is NAT can provide some kind of protection?
Jack Bates
jbates at brightok.net
Wed Jan 12 20:18:56 UTC 2011
On 1/12/2011 1:35 PM, Owen DeLong wrote:
> The corp IT guy is delusional. The solution to the routing disconnect
> is map+encap or tunnels. Many exploits now take advantage of these
> technologies to use a system compromised through point-click-pwn3d to
> provide a route into the rest of the network. If you allow outbound
> access to TCP/80, TCP/443, or TCP/22, then, it is trivial to create
> an inbound path to your network, NAT or no.
>
This presumes the inside network is already compromised. In such a case,
a stateful/non-proxy firewall would also be subject to such a thing.
This is not what PAT prevents that a stateful firewall doesn't.
> The argument everyone is making is that a stateful firewall without
> mangling the headers is just as secure (and just as insecure) as one
> with PAT.
>
Except that the routing isolation means that it is not just as secure.
It has one extra vulnerability over NAT.
> Both can and are trivially compromised.
>
Agreed that there are still ways around them. Anyone relying on a single
mechanism for security will often find their security to be inefficient.
> As to the PAT scenario only exposing a single port on a single host,
> not entirely accurate, either. I have seen errant mappings which
> exposed much more in a single mapping command on some systems.
>
On a standard port redirect, I'd be interested to hear the specifics.
However, as my IT guy points out, he doesn't do port or 1-1 redirects
through NAT.
> Then there are the NAT Traversal mechanisms which are necessary to
> make things function but can also be exploited.
>
Things don't function through his firewall. He likes breakage.
> The list of problems created by PAT goes on and on.
>
PAT creates a lot of issues. However, for some environments, what it
breaks are perfectly acceptable. Utilizing PAT in home routers and
facilities that have a more open use of technology, would be crippling
the protocol needlessly.
> I've seen PAT bugs that exposed multiple hosts. This is false sense
> of security.
>
Specifics.
> Paraphrased: A bank vault with a screen door is more secure than a
> bank vault without a screen door.
>
> Pay no attention to the fact that the bank vault was, in this case,
> built with a skylight.
If you installed a skylight, that's your own fault. Nowhere have I said,
PAT is the ultimate in security and forget everything else. I've said
the opposite. PAT has it's uses and does provide certain safeguards. It
is one small piece in a huge arsenal of security mechanisms implemented
in a network. The entire edge firewall system is only a small piece in
network security. If you strictly depend on the edge firewall for
security, you may someday learn the error of doing so. Many companies have.
Jack
More information about the NANOG
mailing list