Home page logo
/

nanog logo nanog mailing list archives

RE: Where NAT disenfranchises the end-user ...
From: "woody weaver" <woody () callisma com>
Date: Tue, 11 Sep 2001 14:47:59 -0700


On Monday, September 10, 2001 10:30 AM, Scott Gifford wrote:

I ask not to drag this discussion on, but because I use NAT for
address conservation and security on a couple networks that I operate,
and am curious if I'd be much better off with something different...

What is meant by NAT and firewall?

If NAT is limited to simply the act of remapping sockets, then it provides
little or no security.  A source route that takes the packet to the NAT box
and then routes to the target host bypasses NAT security.

What I think is generally meant by (outgoing) NAT is

1) A state table is kept that maps outgoing IP flows to masqueraded values
2) Responses to entries in the table are re-mapped to original values and
routed inward
3) Responses not in the table are dropped.

It is step 3 that provides that stateful filter that provides security.  1
and 2, which comprise NAT, provide no security [except possibly information
concealment, which is generally trivial to penetrate].

The problem is that because a NAT box isn't a security device, per se, it
does not have the same level of verification (hence trust) as a formal
security device.  Using a LinkSys NAT device for a home firewall is probably
appropriate -- the confidence in the trusted computing base should match the
value of the assets being protected.  Using that same device for an
enterprise is probably not appropriate.  If it were "a couple networks that
I operate", I'd go ahead and purchase a firewall product, perhaps a
Netscreen or something inexpensive.  They *are* reviewed as formal security
devices, and I would have a much higher level of confidence that the system
meets its specifications, as rfc2828 puts it.

YMMV.  IANAL, although I play a security professional on TV.

--
Director, Professional Services  pager: 8779583393 () skytel net
Callisma                         voice: 510 450 9132
6400 Hollis St                   cell:  510 593 5849
Emeryville, CA 94608             email: woody.weaver () callisma com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]