Firewall Wizards mailing list archives
Re: A question regarding SOCKs/Proxy vs NAT/PAT
From: "Crist Clark" <crist.clark () globalstar com>
Date: Wed, 14 Mar 2001 18:01:17 -0800
Ben Nagy wrote:
-----Original Message----- From: Crist Clark [mailto:crist.clark () globalstar com] Sent: Wednesday, 14 March 2001 8:23 To: Michael Gliva Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva wrote: [snip][...]And, Ireally don'tknow what the general industry trend is regarding the question of SOCKs/Proxy vs. NAT/PAT. Can anyone help to enlighten me?OK, one more time, everyone repeat after me, "NAT is not a security measure." "NAT is not a security measure." ...Why not? In theory, dynamic NAT, or "hide NAT" or "overload NAT" or whatever the newest name is provides as much protection as a dumb stateful packet filter. Jeez, people run ipchains or dumb Cisco ALCs and consider them a "security measure" and they're not even _stateful_!
The context for my statement was for someone proposing to do NAT on a firewall. If you were to do NAT without any firewall to speak of then yes, you are reducing the ability of the external attacker to arbitrarily connect to internal machines. What I am saying is that if you have a firewall, doing NAT adds no extra security. So, my mantra above could be made more specifc by explicting adding the context, "NAT on a firewall is not a security feature." That is, putting NAT on top of a firewall that is already using dynamic rules is no additional security (besides the small information leakage that using registered IPs might provide a very well informed attacker). It is a feature to increase your internal IP pool.
I would (and do) argue that dynamic NAT is functionally equivalent to a stateful packet filter. While it's true that many devices that implement NAT aren't written by security companies and therefore may be badly implemented, I think this should be separated from the theoretical side of the debate.
However, I like to point this out: Most of the kiddies and moderately skilled crackers do not seek out specific machines, but rather _services_. If you are redirecting anything from the outside to the inside through NAT, that _service_ is naked on the net. NAT provides no security for this. A proxy definately can and even a stateless packet filter can add some. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- A question regarding SOCKs/Proxy vs NAT/PAT Michael Gliva (Mar 13)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT hermit1 (Mar 15)
- <Possible follow-ups>
- RE: A question regarding SOCKs/Proxy vs NAT/PAT Ben Nagy (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 15)
- Re: A question regarding SOCKs/Proxy vs NAT/PAT Crist Clark (Mar 14)