Firewall Wizards mailing list archives
Re: Stats on how common NAT is?
From: "CTA" <cta () hcsin net>
Date: Sun, 15 Dec 2002 10:32:13 -0500
On 14 Dec 2002, at 23:43, R. DuFresne wrote: From: "R. DuFresne" <dufresne () sysinfo com> To: Michael Still <mikal () stillhq com> Copies to: fw-wiz <firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] Stats on how common NAT is? Organization: sysinfo.com Date sent: Sat, 14 Dec 2002 23:43:01 -0500 (EST)
Duke Hospital just NAT'ed all it's internal address space, as they step up compliance with HIPAA. I've worked with a number of companies over the years that have used NAT as Bill Royd's mentions in his reply also. and as always, he gives sound advice and reasoning. Thanks, Ron DuFresne
I would add that a large number of these hospitals have elected to do NAT from their router/ Internet Gateway. Worst yet they depend on their router as THE FW. This is a bad choice for any network topology, which connects to the Internet, IMHO. Such topologies are vulnerable to Disclosure, Integrity and DDOS threats and place the majority of the raise the risk cost on the NAT/Router. This is a poor response to meet HIPAA compliance requirements. Sorry CISCO. A better way would be to distribute the risks associated with vulnerabilities, threats and attacks across several redundant application specific devices. Router, Bastion Host / NAT Box, FW, IDS. In fact a properly designed hybrid Bastion/NAT Box can be stacked in parallel with auto-sensing hot fail-over to a mash of router/gateways to the Internet. I would also add a honeypot or two to give the kids a place to play. The problem I see is that most network engineers are not applying good Systems Security Engineering processes to balance vulnerabilities, threats and attacks with risks, requirements and economics. Here s my 10 step SSE process: Identifythe functional requirements Specifythe systems components considering performance and economics (Time, Costs, Resources) Identifythe vulnerabilities, threats and possible attacks associated with each system component. Assessthe Risks associated with the vulnerabilities Re- prioritize the Vulnerabilities, considering requirements and economics Identifythe Safeguards to abate the threats or their effects on the vulnerabilities Iterateback to step 4 until one has the best balance Risks, Vulnerabilities, Requirements and Economics Implementthe Safeguards Installthe Safeguard Iterate back to step 2 and adjust until we are within specification. Else, (last resort, BUT DO IT) go back and redefine the functional requirements and/or system specifications.
On Sun, 15 Dec 2002, Michael Still wrote:Hello. I work as a software developer, and there has been some discussion at work as to how common NAT is in corporate environments (this affects whether we use DCOM or not). Does anyone have any pointers on how common NAT in corporate environments is? Why are these people using NAT, is it solely the expense of real IPs, or is it also for the added security? Thanks, Mikal-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
bernie|bhH cta () hcsin net ++++++++++++++++++++++++++++++++++++++++++ I don't ware no stiken hat... Bald, Hatless and Hacking since 1975 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stats on how common NAT is? Michael Still (Dec 14)
- RE: Stats on how common NAT is? Bill Royds (Dec 14)
- Re: Stats on how common NAT is? R. DuFresne (Dec 15)
- Re: Stats on how common NAT is? CTA (Dec 15)
- Re: Stats on how common NAT is? Paul D. Robertson (Dec 15)
- Re: Stats on how common NAT is? Mikael Olsson (Dec 15)
- Re: Stats on how common NAT is? Daniel Linder (Dec 16)
- Re: Stats on how common NAT is? Michael Still (Dec 17)
- <Possible follow-ups>
- Re: Stats on how common NAT is? CTA (Dec 15)