Re: Is NAT can provide some kind of protection?

[Jack Bates <jbates () brightok net>]

On 1/12/2011 1:35 PM, Owen DeLong wrote:
> The corp IT guy is delusional. The solution to the routing disconnect
> is map+encap or tunnels. Many exploits now take advantage of these
> technologies to use a system compromised through point-click-pwn3d to
> provide a route into the rest of the network. If you allow outbound
> access to TCP/80, TCP/443, or TCP/22, then, it is trivial to create
> an inbound path to your network, NAT or no.

This presumes the inside network is already compromised. In such a case, 
a stateful/non-proxy firewall would also be subject to such a thing. 
This is not what PAT prevents that a stateful firewall doesn't.

> The argument everyone is making is that a stateful firewall without
> mangling the headers is just as secure (and just as insecure) as one
> with PAT.

Except that the routing isolation means that it is not just as secure. 
It has one extra vulnerability over NAT.

> Both can and are trivially compromised.

Agreed that there are still ways around them. Anyone relying on a single 
mechanism for security will often find their security to be inefficient.

> As to the PAT scenario only exposing a single port on a single host,
> not entirely accurate, either. I have seen errant mappings which
> exposed much more in a single mapping command on some systems.

On a standard port redirect, I'd be interested to hear the specifics. 
However, as my IT guy points out, he doesn't do port or 1-1 redirects 
through NAT.

> Then there are the NAT Traversal mechanisms which are necessary to
> make things function but can also be exploited.

Things don't function through his firewall. He likes breakage.

> The list of problems created by PAT goes on and on.

PAT creates a lot of issues. However, for some environments, what it 
breaks are perfectly acceptable. Utilizing PAT in home routers and 
facilities that have a more open use of technology, would be crippling 
the protocol needlessly.

> I've seen PAT bugs that exposed multiple hosts. This is false sense
> of security.

Specifics.

> Paraphrased: A bank vault with a screen door is more secure than a
> bank vault without a screen door.
>
> Pay no attention to the fact that the bank vault was, in this case,
> built with a skylight.

If you installed a skylight, that's your own fault. Nowhere have I said, 
PAT is the ultimate in security and forget everything else. I've said 
the opposite. PAT has it's uses and does provide certain safeguards. It 
is one small piece in a huge arsenal of security mechanisms implemented 
in a network. The entire edge firewall system is only a small piece in 
network security. If you strictly depend on the edge firewall for 
security, you may someday learn the error of doing so. Many companies have.


Jack