Re: Arguing against using public IP space

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Owen DeLong" <owen () delong com>

> In this case, a router with NAT is slightly more likely to fail closed than
> a router without NAT.

"Slightly"?  Continuing to assume here, as we have been, that the network
behind a NAT is *unroutable*, then a NAT router has, IME, *many* more obvious
possible failure modes which will make the internal network inaccessible from
outside than modes which cause the opposite.

If you're an attacker, targeting a behind-NAT box from the outside, then
if the NAT's working, you can hit directly any ports that are forwarded to it.

If not, then you have to a) know the private IP of the box and b) be able to
get packets to the last upstream hop with source routing on them and c) the
box has to have failed (or been configured or built) in such a way as to 
*listen* to source-routing.  Those layers may have varying thicknesses, but 
there *are* at least 3 more of them, *on top of* "did it fail in a way where
it's listening at all?".

>                        However, a firewall without NAT is more likely
> to fail closed than a router with or without NAT and equally likely to
> a firewall with NAT.

If it's a firewall that meets your definition of the word, as opposed to,
say, a shorewall box, a smoothwall box, a pf box, or any of the other 3 or
4 dozen packaged linux based firewall routers of which there are *lots* out
there.  Probably the most common failure more on those is "iptables accidentally
cleared; box routes all packets".

That's one failure to get to that point, insted of 2, 3 or 4.  And since it's
human-based a lot of the time, it's probably even more likely.

>                      In other words, NAT doesn't really improve anything,
> but, the difference between the common failure modes of a firewall
> vs. a router are worthy of consideration. The infinitesimal advantage
> of NAT if you use a router instead of a firewall to perform the duties
> of a firewall is dramatically overshadowed by the costs and damage
> done by NAT.

Costs already sunk, IME.  Damage is a question-begging term here.

> OTOH, routers, being designed primarily to forward packets and having
> security appliance features added as a secondary capability will, in
> many cases, address most of these failures by passing packets which
> would not be permitted if properly configured and/or functioning.

Yup.  What I've been saying (or implying) right along.  So, in networks,
or in seats, take your pick, does anyone have any deployment numbers on 
router-based firewalls vs the other sort, whatever we're calling them?

> Yes, they are identical and NAT makes no meaningful difference
> to the chances that undesired packets will be forwarded in the event
> of a catastrophic failure outside of these more common failure modes.

I guess we're going to have to agree to disagree here; our respective 
clients will decide what their opinions on that are.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274