Security Basics mailing list archives
Re: NAT external/Public IP
From: krymson () gmail com
Date: 9 Nov 2007 17:49:35 -0000
This thread has spawned a lot of smaller topics that are getting mashed together, bastardized, and confused. And reading sec-basics was supposed to be a mini-break for me! :) 1) I dislike discussions on the value of obscurity, because the typical two parties in the discussion are often both correct. 2) Correct: obscurity does not affect the security of a device itself. An unpatched Windows OS won't become more secure, in and of itself, because you hid it in a closet with no network. The OS is still insecure. 3) Correct, the risk to a device is affected in a positive way by obscuring it. The risk to that Windows system is pretty low because it doesn't even have a network cable attached to it! 4) This can also be illustrated with our age-old example of putting SSH on an alternate port. This won't make the SSH daemon or user passwords any more secure, but you will see a dramatic reduction in the number of logged brute force attempts when it is on an odd port. This is of value to many security professionals, and should be labeled a "reduction of risk." Sadly, many people still just call this an "increase in security" which gets quickly mistaken. 5) Back to the topic at hand: NAT. Does NAT increase security? That is clearly not it's purpose, but it can help reduce risk, the same as good ACLs or firewall rules. To discuss further, we need clear examples of what we're envisioning our network to be. Are we assuming Internet traffic goes right to a host, all 65,535 ports? I'd rather have NAT stopping that (which pretty much forces us to use some firewall/acl rules), so I don't have to worry about all those ports. Does this increase the security of the box? Not directly. Does it mitigate risk? Yes. Does this add value? Yes. And so on. Basically, I think most of the thread participants are correct, we're just dealing with mismatched definitions of terms, and mismatched illustrations where not everything is equal.
Current thread:
- Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 04)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)
- RE: NAT external/Public IP Craig Wright (Nov 05)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)
- Re: NAT external/Public IP Michael Painter (Nov 07)
- RE: NAT external/Public IP Craig Wright (Nov 05)
- RE: NAT external/Public IP Dan Lynch (Nov 05)
- Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 06)
- <Possible follow-ups>
- Re: NAT external/Public IP krymson (Nov 09)
- RE: NAT external/Public IP Nick Vaernhoej (Nov 09)
- RE: NAT external/Public IP Craig Wright (Nov 09)
- Message not available
- RE: NAT external/Public IP Craig Wright (Nov 15)
- RE: NAT external/Public IP Nick Vaernhoej (Nov 09)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)