North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Where NAT disenfranchises the end-user ...
On Monday, September 10, 2001 10:30 AM, Scott Gifford wrote: >I ask not to drag this discussion on, but because I use NAT for >address conservation and security on a couple networks that I operate, >and am curious if I'd be much better off with something different... What is meant by NAT and firewall? If NAT is limited to simply the act of remapping sockets, then it provides little or no security. A source route that takes the packet to the NAT box and then routes to the target host bypasses NAT security. What I think is generally meant by (outgoing) NAT is 1) A state table is kept that maps outgoing IP flows to masqueraded values 2) Responses to entries in the table are re-mapped to original values and routed inward 3) Responses not in the table are dropped. It is step 3 that provides that stateful filter that provides security. 1 and 2, which comprise NAT, provide no security [except possibly information concealment, which is generally trivial to penetrate]. The problem is that because a NAT box isn't a security device, per se, it does not have the same level of verification (hence trust) as a formal security device. Using a LinkSys NAT device for a home firewall is probably appropriate -- the confidence in the trusted computing base should match the value of the assets being protected. Using that same device for an enterprise is probably not appropriate. If it were "a couple networks that I operate", I'd go ahead and purchase a firewall product, perhaps a Netscreen or something inexpensive. They *are* reviewed as formal security devices, and I would have a much higher level of confidence that the system meets its specifications, as rfc2828 puts it. YMMV. IANAL, although I play a security professional on TV. -- Director, Professional Services pager: [email protected] Callisma voice: 510 450 9132 6400 Hollis St cell: 510 593 5849 Emeryville, CA 94608 email: [email protected]