Lee at asgard.org
Mon Mar 24 18:23:03 UTC 2014
On 3/24/14 1:37 PM, "William Herrin" <bill at herrin.us> wrote:
>On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco at ns.sol.net> wrote:
>>> I say this with the utmost respect, but you must understand the
>>> principle of defense in depth in order to make competent security
>>> decisions for your organization. Smart people disagree on the details
>>> but the principle is not only iron clad, it applies to all forms of
>>> security, not just IP network security.
>> The problem here is that what's actually going on is that you're now
>> enshrining as a "security" device a hacky, ill-conceived workaround
>> for a lack of flexibility/space/etc in IPv4. NAT was not designed
>> to act as a security feature.
>That would be one of those "details" on which smart people disagree.
>In this case, I think you're wrong. Modern NAT superseded the
>transparent proxies and bastion hosts of the '90s because it does the
>same security job a little more smoothly. And proxies WERE designed to
>act as a security feature.
What kinds of devices are we talking about here? Are we talking about the
default NAT on a home network router, or an enterprise-level NAT operating
on a firewall?
The NAT on home gateways may be a full-cone NAT. This allows easier setup
of online gaming, for instance, or other applications where an inbound SYN
is required. This provides no security, since as soon as a connection is
established, all traffic is allowed. Even restricted cone NATs provide
little protection, just a bit of guessing that even a human could manage.
If we're talking about an enterprise firewall, then I don't
understand--we're talking about a firewall. If it implements a symmetric
NAT in addition to a stateful firewall, then it's implementing the same
function twice. But, hey, it's your network, if
security-through-obscurity is one of your defense in depth layers, that's
fine. You may use NPT66 with ULA; that function is defined.
More information about the NANOG