Re: mh (RE: OMB: IPv6 by June 2008)

[Fred Baker <fred () cisco com>]

On Jul 8, 2005, at 9:49 AM, Jay R. Ashworth wrote:
> A machine behind a NAT box simply is not visible to the outside world, 
> except for the protocols you tunnel to it, if any.   This *has* to 
> vastly reduce it's attack exposure.

It is true that the exposure is reduced, just as it is with a stateful 
firewall. The technical term for this is "security by obscurity". Being 
obscure, however, is not the same as being invisible or being 
protected. It just means that you're a little harder to hit. When a NAT 
sets up an association between an "inside" and "outside" address+port 
pair, that constitutes a bridge between the inside device and the 
outside world. There are ample attacks that are perpetrated through 
that association.

A NAT, in that context, is a stateful firewall that changes the 
addresses, which means that the end station cannot use IPSEC to ensure 
that it is still talking with the same system on the outside. It is 
able to use TLS, SSH, etc as transport layer solutions, but those are 
subject to attacks on TCP such as RST attacks, data insertion, 
acknowledge hacking, and so on, and SSH also has a windowing problem 
(on top of TCP's window, SSH has its own window, and in large 
delay*bandwidth product situations SSH's window is a performance 
limit). In other words, a NAT is a man-in-the-middle attack, or is a 
device that forces the end user to expose himself to man-in-the-middle 
attacks. A true stateful firewall that allows IPSEC end to end doesn't 
expose the user to those attacks.