mailing list archives
Re: NAT external/Public IP
From: krymson () gmail com
Date: 9 Nov 2007 17:49:35 -0000
This thread has spawned a lot of smaller topics that are getting mashed together, bastardized, and confused. And
reading sec-basics was supposed to be a mini-break for me! :)
1) I dislike discussions on the value of obscurity, because the typical two parties in the discussion are often both
2) Correct: obscurity does not affect the security of a device itself. An unpatched Windows OS won't become more
secure, in and of itself, because you hid it in a closet with no network. The OS is still insecure.
3) Correct, the risk to a device is affected in a positive way by obscuring it. The risk to that Windows system is
pretty low because it doesn't even have a network cable attached to it!
4) This can also be illustrated with our age-old example of putting SSH on an alternate port. This won't make the SSH
daemon or user passwords any more secure, but you will see a dramatic reduction in the number of logged brute force
attempts when it is on an odd port. This is of value to many security professionals, and should be labeled a "reduction
of risk." Sadly, many people still just call this an "increase in security" which gets quickly mistaken.
5) Back to the topic at hand: NAT. Does NAT increase security? That is clearly not it's purpose, but it can help reduce
risk, the same as good ACLs or firewall rules. To discuss further, we need clear examples of what we're envisioning our
network to be. Are we assuming Internet traffic goes right to a host, all 65,535 ports? I'd rather have NAT stopping
that (which pretty much forces us to use some firewall/acl rules), so I don't have to worry about all those ports. Does
this increase the security of the box? Not directly. Does it mitigate risk? Yes. Does this add value? Yes.
And so on. Basically, I think most of the thread participants are correct, we're just dealing with mismatched
definitions of terms, and mismatched illustrations where not everything is equal.