Re: Stats on how common NAT is?

["CTA" <cta () hcsin net>]

On 14 Dec 2002, at 23:43, R. DuFresne wrote:

From:                   "R. DuFresne" <dufresne () sysinfo com>
To:                     Michael Still <mikal () stillhq com>
Copies to:              fw-wiz <firewall-wizards () honor icsalabs com>
Subject:                Re: [fw-wiz] Stats on how common NAT is?
Organization:           sysinfo.com
Date sent:              Sat, 14 Dec 2002 23:43:01 -0500 (EST)

> Duke Hospital just NAT'ed all it's internal address space, as
> they step up compliance with HIPAA.  I've worked with a number of
> companies over the years that have used NAT as Bill Royd's
> mentions in his reply also.  and as always, he gives sound advice
> and reasoning.
>
> Thanks,
>
> Ron DuFresne
I would add that a large number of these hospitals have elected 
to do NAT from their router/ Internet Gateway. Worst yet they 
depend on their router as THE FW. This is a bad choice for 
any network topology, which connects to the Internet, IMHO. 
Such topologies are vulnerable to Disclosure, Integrity and 
DDOS threats and place the majority of the raise the risk cost 
on the NAT/Router. This is a poor response to meet HIPAA 
compliance requirements. Sorry CISCO.

A better way would be to distribute the risks associated with 
vulnerabilities, threats and attacks across several redundant 
application specific devices. Router, Bastion Host / NAT Box, 
FW, IDS. In fact a properly designed hybrid Bastion/NAT Box 
can be stacked in parallel with auto-sensing hot fail-over to a 
mash of router/gateways to the Internet. I would also add a 
honeypot or two to give the kids a place to play.

The problem I see is that most network engineers are not 
applying good Systems Security Engineering processes to 
balance vulnerabilities, threats and attacks with risks, 
requirements and economics.

Here s my 10 step SSE process:

Identifythe functional requirements
    
Specifythe systems components considering performance 
    and economics (Time, Costs, Resources)
    
Identifythe vulnerabilities, threats and possible attacks 
    associated with each system component.
    
Assessthe Risks associated with the vulnerabilities
    
Re- prioritize the Vulnerabilities, considering requirements 
    and economics
    
Identifythe Safeguards to abate the threats or their effects 
    on the vulnerabilities

Iterateback to step 4 until one has the best balance Risks, 
    Vulnerabilities, Requirements and Economics

Implementthe Safeguards

Installthe Safeguard

Iterate back to step 2 and adjust until we are within specification. 

Else, (last resort, BUT DO IT) go back and redefine the functional requirements and/or system specifications.

> On Sun, 15 Dec 2002, Michael Still wrote:
>
> > Hello.
> >
> > I work as a software developer, and there has been some
> > discussion at work as to how common NAT is in corporate
> > environments (this affects whether we use DCOM or not).
> >
> > Does anyone have any pointers on how common NAT in corporate
> > environments is? Why are these people using NAT, is it solely
> > the expense of real IPs, or is it also for the added security?
> >
> > Thanks,
> > Mikal
>
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity. 
> It eliminates dreams, goals, and ideals and lets us get straight
> to the business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


bernie|bhH
cta () hcsin net
++++++++++++++++++++++++++++++++++++++++++
I don't ware no stiken hat...
    Bald, Hatless and Hacking since 1975
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards