North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [arin-announce] IPv4 Address Space (fwd)

  • From: Scott McGrath
  • Date: Thu Oct 30 09:22:01 2003

> On Wed, 29 Oct 2003, Scott McGrath wrote:
> 
> > Life would be much simpler without NAT howver there are non-computer
> > devices which use the internet to get updates for their firmware that most
> > of us would prefer not to be globally reachable due to the human error
> > factor i.e. "Oops forgot a rule to protect X".
> <snip>
> > A good example of this is building control systems which get firmware
> > updates via FTP!!!! from their maker.  Usually there is no manual system
> > for updating them offline and allowing them to be disconnected from the
> > internet  as in my opinion they _should_ be.
> 
> NAT is certianly not the only way to restrict this sort of access.  For
> your ship example (snipped) an isolated network is best.
> 
> For your building control systems a firewall preventing inbound access,
> instead of a NAT device, should be your control of choice.

You are missing the point.  Building control gear, instrument controllers
power controllers their builders see a _cheap_ distribution method for 
updates so they buy a TCP stack and cobble together a embedded application 
to update their software.

Vendors are not thinking about acceptable levels of network security
when they design this gear they are thinking hmm no floppy or cdrom for
$20 I can just put in a $4 ethernet controller and I can also save the
salaries of the people needed to distribute the physical media.
 
> 
> > This class of devices should not have a globally routable address
> > because in many cases security on them is less than an afterthought (short
> > fixed passwords no support for secure protocols, etc)
> 
> routable =! reachable.  Restrict inbound access to your networks as
> needed, with or without NAT, IPv4 or IPv6.   For legacy IPv4 networks that
> haven't been renumbered to IPv6, use a 4to6 gateway.
> 
routable _is_ reachable a firewall is merely a filtering device it cannot
determine the intent of the packet.  If a packet complies with your
defined ruleset and the protocol rules for that type of packet the
firewall passes it.  NAT also has the advantage that if packets do leak 
bogon filters at the border will drop them.

Firewalls cannot compensate for broken protocols or worse yet proprietary
protocols which the firewall device has no knowledge of and therefore is
limited to L3/4 filtering only.  I have been playing with firewall and
other internetwork security devices for longer than I care to remember


> You seem to be arguing that NAT is the only way to prevent inbound access.
> While it's true that most commercial IPv4 firewalls bundle NAT with packet
> filtering, the NAT is not required..and less-so with IPv6.

Actually no,  I tend to avoid NAT whenever possible as other posters have 
pointed out NAT tends to break things which are not ordinarily broken and 
I do not need the additional headaches.   I simply see NAT as a tool in 
the toolbox to be used to fix networking problems..  

> 

> ...david
> 
> ---
> david raistrick
> [email protected]		http://www.expita.com/nomime.html
>