nanog mailing list archives
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Donald Stahl <don () calis blacksun org>
Date: Mon, 4 Jun 2007 20:11:32 -0400 (EDT)
I'll give you root password to a half a dozen directly connected Linux boxes and you still won't be able to get in.I can give you the root password to a Linux machine running telnetd and sshd. If it's behind NAT/PAT, you will not get into it. Period.
The beauty of IPv6 is that Windows can, by default, bind to the Link Local address for file sharing and you still won't be able to get into it but your local network will still work.I can give you the administrator password to a Windows machine with file sharing wide open. If it's behind NAT/PAT, you will not get into it. Period.
No one is saying they won't. What people are arguing is that NAT doesn't get you anything more than a stateful inspection firewall while at the same time breaking a whole lot of other things and introducing unnecessary complexity.The only ways into these machines would be if the NAT/PAT device were misconfigured, another machine on the secure network were compromised, or another gateway into the secure network was set up. Guess what? All of these things would defeat a stateful inspection firewall as well.
The point is simply that SI does this without the complexity and inanity that is NAT. If you want to deal with it- go right ahead. But the original argument (since we seem to have forgotten) is simply that NAT doesn't get you anything that SI doesn't already provide- while at the same time making everything a lot more complex.Definitely. So why lie and distory what NAT/PAT actually does do? A large class of security vulnerabilities require the attacker to reach out to the machine first, and NAT/PAT stops those attacks completely.
For the nth time- so does SI- and it does it without the header mangling, complexity and troubleshooting headaches that come with NAT.Is a car alarm useless because some professtional theives can disable it? Is a lock useless because some thieves can pick it? Many exploits only go after low-hanging fruit, and NAT/PAT stops them.
No one is denying that NAT works- but it works well because of SI, not because of NAT (in fact static NAT does nothing to stop an attack in any way shape or form).
The question we are asking you is what does NAT get us over and above SI? Because if the answer is nothing- then not having to deal with NAT's shortcomings is reason enough to ditch it in favor of straight forward SI.
-Don
Current thread:
- Re: Security gain from NAT, (continued)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 05)
- Re: Security gain from NAT Jeff McAdams (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Perry Lorier (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) James Hess (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) michael.dillon (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nathan Ward (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Sam Stickland (Jun 06)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Kradorex Xeron (Jun 05)
- Re: Security gain from NAT Leigh Porter (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dorn Hetzel (Jun 04)