Re: Stats on how common NAT is?

["CTA" <cta () hcsin net>]

On 14 Dec 2002, at 23:43, R. DuFresne wrote:


From:                   "R. DuFresne" <<dufresne () sysinfo com>

To:                     Michael Still <<mikal () stillhq com>

Copies to:              fw-wiz <<firewall-wizards () honor icsalabs com>

Subject:                Re: [fw-wiz] Stats on how common NAT is?

Organization:           sysinfo.com Date sent:          Sat, 14 Dec 2002

23:43:01 -0500 (EST)


<color><param>7F00,0000,0000</param>> 

> Duke Hospital just NAT'ed all it's internal address space, as

> they step up compliance with HIPAA.  I've worked with a number

> of companies over the years that have used NAT as Bill Royd's

> mentions in his reply also.  and as always, he gives sound

> advice and reasoning.

>

> Thanks,

>

> Ron DuFresne

>

</color>I would add that a large number of these hospitals have elected

to do NAT from their router/ Internet Gateway. Worst yet they

depend on their router as THE FW. This is a bad choice for any

network topology, which connects to the Internet, IMHO. Such

topologies are vulnerable to Disclosure, Integrity and DDOS

threats and place the majority of the raise the risk cost on the

NAT/Router. This is a poor response to meet HIPAA compliance

requirements. Sorry CISCO.


A better way would be to distribute the risks associated with

vulnerabilities, threats and attacks across several redundant

application specific devices. Router, Bastion Host / NAT Box, 
FW,

IDS. In fact a properly designed hybrid Bastion/NAT Box can 
be

stacked in parallel with auto-sensing hot fail-over to a mash of

router/gateways to the Internet. I would also add a honeypot or

two to give the kids a place to play.


The problem I see is that most network engineers are not 

applying good Systems Security Engineering processes to 

balance vulnerabilities, threats and attacks with risks, 

requirements and economics.


Here s my 10 step SSE process:


1. Identifythe functional requirements



2. Specifythe systems components considering performance 

    and economics (Time, Costs, Resources)



3. Identifythe vulnerabilities, threats and possible attacks 

    associated with each system component.



4. Assessthe Risks associated with the vulnerabilities



5. Re- prioritize the Vulnerabilities, considering requirements 

    and economics



6. Identifythe Safeguards to abate the threats or their effects 

    on the vulnerabilities


7. Iterateback to step 4 until one has the best balance Risks, 

    Vulnerabilities, Requirements and Economics


8. Implementthe Safeguards


9. Install the Safeguards


10. Iterate back to step 2 and adjust until we are within

specification. 
 
Else, (last resort, BUT DO IT) go back and

redefine the functional requirements and/or system

specifications.


<color><param>7F00,0000,0000</param>> 

> On Sun, 15 Dec 2002, Michael Still wrote:

>

> >

> > Hello.

> >

> > I work as a software developer, and there has been some

> > discussion at work as to how common NAT is in corporate

> > environments (this affects whether we use DCOM or not).

> >

> > Does anyone have any pointers on how common NAT in corporate

> > environments is? Why are these people using NAT, is it solely

> > the expense of real IPs, or is it also for the added

> > security?

> >

> > Thanks,

> > Mikal

> >

> >

>

> -- 

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>         admin & senior security consultant:  sysinfo.com

>                         http://sysinfo.com

>

> "Cutting the space budget really restores my faith in humanity.

> It eliminates dreams, goals, and ideals and lets us get

> straight to the business of hate, debauchery, and

> self-annihilation."

>                 -- Johnny Hart

>

> testing, only testing, and damn good at it too!

>

> _______________________________________________

> firewall-wizards mailing list

> firewall-wizards () honor icsalabs com

> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

>




<nofill>
bernie|bhH
cta () hcsin net
++++++++++++++++++++++++++++++++++++++++++
I don't ware no stiken hat...
    Bald, Hatless and Hacking since 1975
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards