Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <29838609.2919.1321392184239.JavaMail.root at benjamin.baylink.com>, Ja
y Ashworth writes:
> > >> If your firewall is not working, it should not be passing packets.
> > >
> > > And of course, things always fail just the way we want them to.
> > 
> > Your stateful firewall is no more likely to fail open than your
> > header-mutilating device.
> 
> Please show your work.

Prove to me that all NAT won't pass packets not addressed directly
to it.  Show your work.

You are making assumptions about how the NAT is designed.  Many
NATs only take packets addressed to particular address ranges and
process them though the state tables.  All the rest of the packets
are treated as normal traffic which may or may not be forwarded
depending apon the way the base platform is configured which is
usually as a router.  Many NAT's will honour LSR.

Unless you know the internals of a NAT you cannot say whether it
fails open or closed.

Given that most NATs only use a small set of address on the inside
it is actually feasible to probe through a NAT using LSR.  Most
attacks don't do this as there are lots of lower hanging fruit but
if it is a targeted attack then yes you can expect to see LSR based
attacks which depending apon how the NAT is built may pass through
it without even being noticed.

Now can we put to bed that NAT provides any real security.  If you
want security add and configure a firewall.  That firewall can be
in the same box as the NAT.  It can use the same state tables as
the NAT but it is the firewall, not the NAT functionality, that
provides the protection.

Mark

> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       jra at baylink.co
> m
> Designer                     The Things I Think                       RFC 210
> 0
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DI
> I
> St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 127
> 4
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]