Re: A question regarding SOCKs/Proxy vs NAT/PAT

["Crist Clark" <crist.clark () globalstar com>]

Ben Nagy wrote:
> > -----Original Message-----
> > From: Crist Clark [mailto:crist.clark () globalstar com]
> > Sent: Wednesday, 14 March 2001 8:23
> > To: Michael Gliva
> > Cc: firewall-wizards () nfr com
> > Subject: Re: [fw-wiz] A question regarding SOCKs/Proxy vs NAT/PAT
> >
> >
> > Michael Gliva wrote:
> >
> > [snip]
> [...]
> > > And, I
> > really don't
> > > know what the general industry trend is regarding the question of
> > > SOCKs/Proxy vs. NAT/PAT.    Can anyone help to enlighten me?
> >
> > OK, one more time, everyone repeat after me,
> >
> >   "NAT is not a security measure."
> >   "NAT is not a security measure."
> >   ...
>
> Why not? In theory, dynamic NAT, or "hide NAT" or "overload NAT" or whatever
> the newest name is provides as much protection as a dumb stateful packet
> filter. Jeez, people run ipchains or dumb Cisco ALCs and consider them a
> "security measure" and they're not even _stateful_!

The context for my statement was for someone proposing to do NAT on a 
firewall. If you were to do NAT without any firewall to speak of then yes, 
you are reducing the ability of the external attacker to arbitrarily 
connect to internal machines. What I am saying is that if you have a 
firewall, doing NAT adds no extra security. So, my mantra above could be 
made more specifc by explicting adding the context,

  "NAT on a firewall is not a security feature."

That is, putting NAT on top of a firewall that is already using dynamic
rules is no additional security (besides the small information leakage
that using registered IPs might provide a very well informed attacker).
It is a feature to increase your internal IP pool.

> I would (and do) argue that dynamic NAT is functionally equivalent to a
> stateful packet filter. While it's true that many devices that implement NAT
> aren't written by security companies and therefore may be badly implemented,
> I think this should be separated from the theoretical side of the debate.

However, I like to point this out: Most of the kiddies and moderately 
skilled crackers do not seek out specific machines, but rather _services_.
If you are redirecting anything from the outside to the inside through NAT,
that _service_ is naked on the net. NAT provides no security for this. A 
proxy definately can and even a stateless packet filter can add some.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards