nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Owen DeLong <owen () delong com>
Date: Thu, 13 Jan 2011 13:32:17 -0800
On Jan 13, 2011, at 1:21 PM, Lamar Owen wrote:
On Wednesday, January 12, 2011 03:50:28 pm Owen DeLong wrote:That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny.This is demonstrably not correct. Even in the case of dynamic overloaded NAT, at least on Cisco, there is no firewalling going on (if firewalling is defined as blocking something). It looks like there is, but that's an illusion, a sleight-of-hand, not reality. In the NAT order of operations in IOS at least you'll find NAT occurs before the routing decision does. Thus, if you change the address in the packet header, you change which routing table entry will be used to route that packet. It's the rewriting of the address that then causes the routing to send the packet in a different direction; in practice most of the time there is either no route or a null route to the inside global address or address block, but it doesn't have to be that way.
The rewriting is done by matching the packet against a state table. No match, no rewrite, no forward. If you have a state table and packets have to match the state table to get forwarded, that is, by definition, a stateful firewall.
You could easily set up a NAT where the inside local addresses are on, say, GigabitEthernet0/0 and the inside global address(es) are on Null0.... or GigabitEthernet0/1 (where the honeynet or tarpit resides, perhaps?), or whatnot. Packets that don't match the NAT can just be routed elsewhere, not just to a null route, easily enough. The default destination for most cases happens to be a null route; this is certainly a good imitation of a deny.
The difference between drop, deny, and forward to null0 is a subtlety that doesn't have much to do with the outcome of what happens to the packet. In all cases, the packet is discarded. The bottom line is that a default forward to null0 is a default deny. Yes, it can be overridden like most defaults. Yes, the mechanism for overriding a default deny in an ACL and overriding a default forward to null0 in a state table may be in different parts of the configuration or require different commands, but, it doesn't change the fact that you have a stateful firewall of one form or another. Owen
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? david raistrick (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Miquel van Smoorenburg (Jan 12)
- Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Scott Helms (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)
- Re: Is NAT can provide some kind of protection? Jeff Kell (Jan 12)
- Re: Is NAT can provide some kind of protection? Valdis . Kletnieks (Jan 12)
- Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)
- Re: Is NAT can provide some kind of protection? Justin Scott (Jan 12)