|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPv6 NAT
--On Friday, October 31, 2003 11:43 AM -0500 "Patrick W. Gilmore" <[email protected]> wrote: -- On Friday, October 31, 2003 08:03 -0800 -- Owen DeLong <[email protected]> supposedly wrote:There is NO security benefit to NAT/PAT/NAPT.Disagree. None of the scanning / infecting viruses could get past a $50 NAT/PAT device which Joe User brings home and turns on without configuring. Do not talk about "if they statically NAT...". Punching holes in stateful firewalls will cause just as much damage. Actually, many of the viruses will because they are received via other mechanisms and create stateful outbound connections that go right past NAT. However, the scanners won't get past a STATEFUL INSPECTION firewall, with or without nat. You can get a $50 stateful inspection device without NAT too. Takes the same configuration effort and usually on the same devices. In fact, assuming you have a PC, you probably don't need to spend $50. You can get a stateful inspection firewall on your PC by downloading the ISOs from RedHat (or other LINUX source) for FREE. Admittedly, the free one takes a little bit of configuration, since you have to check the box that says "high security". There is a security benefit to stateful inspection.Agreed. And I doubt anyone on this list would say differently. Right. There is NO security benefit to NAT/PAT/NAPT beyond the stateful inspection. NAT is harmful to many protocols. Stateful inspection is not.Possibly. But Joe User will never use those "many protocols". Plus the overwhelming majority of protocols are not harmed by NAT. If you are telling me that Joe User will never use VOIP, then you are somking from a different internet hooka than the folks at Vonage. I don't know which of you is right, but, I know Vonage has enough customers to say that at least some number of Joe User's are using SIP and RTP which are among the protocols broken by NAT. Next? I would bet a statistically insignificant number of packets on the Internet (many places to the right of the decimal) are part of those protocols. I guess that depends on your measurement method. Shall we include or not include in the count the number of packets that are bogusly tunneled over other protocols in an attempt to circumvent NAT silliness because it has become an unfortunate fact of life? Also, depending on who you ask, P2P filesharing (regardless of your position on the legality, the technology isn't inherently a bad thing) does not constitute a statistically insignificant portion of the traffic mix. A number of P2P protocols incorporate significant workarounds to deal with NAT. Many of these workarounds do things which essentially eliminate the previously defined security benefit and often in a way which makes things less secure than they would have been without NAT with a good stateful inspection firewall. This does not mean we should NAT everything, since I use some of those protocols. But if every Joe User had a DLink NAT box in front of his Winbloze box, the Internet would be a safer place. And you know it. I disagree. I think the better solution to that problem is for every Joe user to spend that $50 suing Micr0$0ft for their exploding pinto in the local small claims court. If that happened, Micr0$0ft would get the message that there is a cost to doing business they way they have and they would be forced to change their strategy and fix some of these issues. That would be $50 much better spent. Even if Joe user loses his case in small claims (most likely), making Micr0$0ft play legal whack-a-mole would still have the desired effect. For Joe User to go out and get the NAT box requires that Joe User recognize some level of need for security. If we can teach Joe User that, then we ought to be able to teach him to secure the box directly without needing a $50 device. Even Windows now has stateful firewall capabilities on the box. It's just not that hard. -- TTFN, patrick Owen -- If it wasn't signed, it probably didn't come from me. Attachment:
pgp00054.pgp
|