nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Jack Bates <jbates () brightok net>
Date: Wed, 12 Jan 2011 14:18:56 -0600
On 1/12/2011 1:35 PM, Owen DeLong wrote:
The corp IT guy is delusional. The solution to the routing disconnect is map+encap or tunnels. Many exploits now take advantage of these technologies to use a system compromised through point-click-pwn3d to provide a route into the rest of the network. If you allow outbound access to TCP/80, TCP/443, or TCP/22, then, it is trivial to create an inbound path to your network, NAT or no.
This presumes the inside network is already compromised. In such a case, a stateful/non-proxy firewall would also be subject to such a thing. This is not what PAT prevents that a stateful firewall doesn't.
The argument everyone is making is that a stateful firewall without mangling the headers is just as secure (and just as insecure) as one with PAT.
Except that the routing isolation means that it is not just as secure. It has one extra vulnerability over NAT.
Both can and are trivially compromised.
Agreed that there are still ways around them. Anyone relying on a single mechanism for security will often find their security to be inefficient.
As to the PAT scenario only exposing a single port on a single host, not entirely accurate, either. I have seen errant mappings which exposed much more in a single mapping command on some systems.
On a standard port redirect, I'd be interested to hear the specifics. However, as my IT guy points out, he doesn't do port or 1-1 redirects through NAT.
Then there are the NAT Traversal mechanisms which are necessary to make things function but can also be exploited.
Things don't function through his firewall. He likes breakage.
The list of problems created by PAT goes on and on.
PAT creates a lot of issues. However, for some environments, what it breaks are perfectly acceptable. Utilizing PAT in home routers and facilities that have a more open use of technology, would be crippling the protocol needlessly.
I've seen PAT bugs that exposed multiple hosts. This is false sense of security.
Specifics.
Paraphrased: A bank vault with a screen door is more secure than a bank vault without a screen door. Pay no attention to the fact that the bank vault was, in this case, built with a skylight.
If you installed a skylight, that's your own fault. Nowhere have I said, PAT is the ultimate in security and forget everything else. I've said the opposite. PAT has it's uses and does provide certain safeguards. It is one small piece in a huge arsenal of security mechanisms implemented in a network. The entire edge firewall system is only a small piece in network security. If you strictly depend on the edge firewall for security, you may someday learn the error of doing so. Many companies have.
Jack
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Fernando Gont (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Steven Kurylo (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Fernando Gont (Jan 12)
- Re: Is NAT can provide some kind of protection? Brian Keefer (Jan 15)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Brandon Ross (Jan 15)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 15)
- Re: Is NAT can provide some kind of protection? Matthew Palmer (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Mark Smith (Jan 15)