Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

[Kradorex Xeron <admin () digibase ca>]

On Monday 04 June 2007 18:06, Owen DeLong wrote:
> On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
> > > On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> > > > Owen DeLong <owen () delong com> writes:
> > > > > There's no security gain from not having real IPs on machines.
> > > > > Any belief that there is results from a lack of understanding.
> > > >
> > > > This is one of those assertions that gets repeated so often people
> > > > are liable to start believing it's true :-).
> > >
> > > Maybe because it _IS_ true.
> > >
> > > > *No* security gain?  No protection against port scans from
> > > > Bucharest?
> > > > No protection for a machine that is used in practice only on the
> > > > local, office LAN?  Or to access a single, corporate Web site?
> > >
> > > Correct.  There's nothing you get from NAT in that respect that
> > > you do
> > > not get from good stateful inspection firewalls.  NONE whatsoever.
> >
> > Sorry, Owen, but your argument is ridiculous. The original
> > statement was
> > "[t]here's no security gain from not having real IPs on machines". If
> > someone said, "there's no security gain from locking your doors",
> > would you
> > refute it by arguing that there's no security gain from locking
> > your doors
> > that you don't get from posting armed guards round the clock?
>
> Except that's not the argument.  The argument would map better to:
>
> There's no security gain from having a screen door in front of your
> door with a lock and dead-bolt on it that you don't get from a door
> with a lock and dead-bolt on it.
>
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security.  NAT/PAT is a screen door.
> Not having public addresses is a screen door.  A stateful inspection
> firewall is a lock and deadbolt.
>
> Owen

To add to that:

Need I remind those of us who see NAT as some sort of firewall?:
NAT is Network Address Translation, and is designed to be for only providing a 
source of private IP addressing.. it wasn't designed to be a "protection" - 
it's just a side effect that it does offers any protection at all.

People may get lucky because their NAT may check from which interface traffic 
comes in on (which is a form of inspection, thus indicates a presense of a 
firewall). But without any sort of packet inspection, someone could trick 
your NAT into thinking a connection was open when it was not, thus opening a 
connection to a system on your NAT (that is probably unfirewalled in itself). 
Or another example: a third party finds out a system on your NAT has a 
connection open to a host on the internet, so the third party wedges their 
own foriged packets into the connection, and a NAT without inspection will 
just foreward it to the internal host without batting an eye.