Firewall Wizards mailing list archives
Re: Stats on how common NAT is?
From: "CTA" <cta () hcsin net>
Date: Sun, 15 Dec 2002 10:38:08 -0500
On 14 Dec 2002, at 23:43, R. DuFresne wrote: From: "R. DuFresne" <<dufresne () sysinfo com> To: Michael Still <<mikal () stillhq com> Copies to: fw-wiz <<firewall-wizards () honor icsalabs com> Subject: Re: [fw-wiz] Stats on how common NAT is? Organization: sysinfo.com Date sent: Sat, 14 Dec 2002 23:43:01 -0500 (EST) <color><param>7F00,0000,0000</param>>
Duke Hospital just NAT'ed all it's internal address space, as
they step up compliance with HIPAA. I've worked with a number
of companies over the years that have used NAT as Bill Royd's
mentions in his reply also. and as always, he gives sound
advice and reasoning.
Thanks,
Ron DuFresne
</color>I would add that a large number of these hospitals have elected to do NAT from their router/ Internet Gateway. Worst yet they depend on their router as THE FW. This is a bad choice for any network topology, which connects to the Internet, IMHO. Such topologies are vulnerable to Disclosure, Integrity and DDOS threats and place the majority of the raise the risk cost on the NAT/Router. This is a poor response to meet HIPAA compliance requirements. Sorry CISCO. A better way would be to distribute the risks associated with vulnerabilities, threats and attacks across several redundant application specific devices. Router, Bastion Host / NAT Box, FW, IDS. In fact a properly designed hybrid Bastion/NAT Box can be stacked in parallel with auto-sensing hot fail-over to a mash of router/gateways to the Internet. I would also add a honeypot or two to give the kids a place to play. The problem I see is that most network engineers are not applying good Systems Security Engineering processes to balance vulnerabilities, threats and attacks with risks, requirements and economics. Here s my 10 step SSE process: 1. Identifythe functional requirements 2. Specifythe systems components considering performance and economics (Time, Costs, Resources) 3. Identifythe vulnerabilities, threats and possible attacks associated with each system component. 4. Assessthe Risks associated with the vulnerabilities 5. Re- prioritize the Vulnerabilities, considering requirements and economics 6. Identifythe Safeguards to abate the threats or their effects on the vulnerabilities 7. Iterateback to step 4 until one has the best balance Risks, Vulnerabilities, Requirements and Economics 8. Implementthe Safeguards 9. Install the Safeguards 10. Iterate back to step 2 and adjust until we are within specification. Else, (last resort, BUT DO IT) go back and redefine the functional requirements and/or system specifications. <color><param>7F00,0000,0000</param>>
On Sun, 15 Dec 2002, Michael Still wrote:
Hello.
I work as a software developer, and there has been some
discussion at work as to how common NAT is in corporate
environments (this affects whether we use DCOM or not).
Does anyone have any pointers on how common NAT in corporate
environments is? Why are these people using NAT, is it solely
the expense of real IPs, or is it also for the added
security?
Thanks,
Mikal
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.
It eliminates dreams, goals, and ideals and lets us get
straight to the business of hate, debauchery, and
self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
<nofill> bernie|bhH cta () hcsin net ++++++++++++++++++++++++++++++++++++++++++ I don't ware no stiken hat... Bald, Hatless and Hacking since 1975 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Stats on how common NAT is? Michael Still (Dec 14)
- RE: Stats on how common NAT is? Bill Royds (Dec 14)
- Re: Stats on how common NAT is? R. DuFresne (Dec 15)
- Re: Stats on how common NAT is? CTA (Dec 15)
- Re: Stats on how common NAT is? Paul D. Robertson (Dec 15)
- Re: Stats on how common NAT is? Mikael Olsson (Dec 15)
- Re: Stats on how common NAT is? Daniel Linder (Dec 16)
- Re: Stats on how common NAT is? Michael Still (Dec 17)
- <Possible follow-ups>
- Re: Stats on how common NAT is? CTA (Dec 15)