nanog mailing list archives

Re: Security gain from NAT

From: Fred Baker <fred () cisco com>
Date: Mon, 4 Jun 2007 20:05:37 -0700



On Jun 4, 2007, at 12:22 PM, Dave Israel wrote:

Valdis.Kletnieks () vt edu wrote:
On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
*No* security gain? No protection against port scans fromBucharest?
No protection for a machine that is used in practice only on the
local, office LAN?  Or to access a single, corporate Web site?
Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
configured stateful *non*-NAT firewall should be doing for youalready.
What the firewall *should* be doing? The end devices *should* notneed protection in the first place, because they *should* be secureas individual devices. But they are not. So you put a firewall infront of them, and that device *should* give them all theprotection they need. But sometimes, it doesn't. So you make enddevices unaddressable by normal means, and while it shouldn't givethem more security, it turns out it does. No matter how much itshouldn't, and how much we wish it didn't, it does.
The difference between theory and practice is that in theory, thereis no difference, but in practice, there is.


Actually, I would disagree.

A large percentage of attacks, 80% by some estimates, are from behindthe firewall. I will argue that the end system needs its own defensesanyway for that reason if none other.

That said, the end system is not the only thing one defends. One hasan investment in bandwidth and in various other services that oneprovides for one's-self; the firewall primarily defends those assets,and incidentally gives a first line of defense for your end systems.

Defense in depth is also a very commonly used strategy; by limitingthe attacks that can happen, in defended places one can focus moreheavily on attacks that remain possible.

I compare it to the human body's defenses. We have all sorts ofthings that we use to defend against disease etc; cells that attackspecific things, cells that attack things that differ from what isexpected, sentinels, and all sorts of other things. We also have atleast two firewalls. The skin keeps an awful lot of crud out, meaningwe don't have to bring in the big guns, and between the brain and therest of the body we have a second firewall.

NATs are overrated as firewalls. As defenses, they are breached withsome regularity. Stateful firewalls are better, if only because theyare more intelligent. And firewalls as a class are over-rated as adefense mechanism. There is a long list of attacks that cross themwith ease. But as one weapon in the arsenal, they are a simpleprophylactic that helps in a material way.

Current thread:

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- - - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
    - Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
    - Re: Security gain from NAT Richard P. Welty (Jun 04)
    - Re: Security gain from NAT Donald Stahl (Jun 04)
    - Re: Security gain from NAT Dave Israel (Jun 04)
    - Re: Security gain from NAT Edward B. DREGER (Jun 04)
    - Re: Security gain from NAT Fred Baker (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Larry Smith (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Lamar Owen (Jun 04)
    - Enterprise IPv6 (Was: Cool IPv6 Stuff/Security gain from NAT) Nathan Ward (Jun 04)