|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: mh (RE: OMB: IPv6 by June 2008)
On Jul 8, 2005, at 12:49 PM, Jay R. Ashworth wrote: Not really. Consider the logic in a NAT box:On Thu, Jul 07, 2005 at 01:31:57PM -0700, Crist Clark wrote:And if you still want "the protection of NAT," any stateful firewall will do it.That seems a common viewpoint. I believe the very existence of the Ping Of Death rebuts it. A machine behind a NAT box simply is not visible to the outside world, except for the protocols you tunnel to it, if any. This *has* to vastly reduce it's attack exposure. if (state table entry exists for packet) { translate_header(); send(); } else { drop(); } and the logic in a stateful firewall: if (state table entry exists for packet) { send(); } else { drop(); } This is *exactly* the core of what a NAT does, minus the header mangling. The ping of death exposure, for instance, is identical in both cases: The way to ping of death someone is to find a valid state table entry and exploit it (e.g., if you could do a PoD in reverse by using a too-large ICMP reply, and first convince the victim to ping you). Configuration options can change the behavior of either, e.g., configuring an internal host to be the "DMZ" host on a NAT, which changes the logic to: if (state table) ... else send_to_dmz_host(); The equivalent operation on a stateful firewall is a permit rule. A stateful firewall can expose more internal hosts to the outside than a NAT with only one IP address, simply because it can have more addressable space to use (if you've only got one IP address, there's only one person who can receive pings). But in general, the two are nearly identical, by virtue of the state table check. -Dave
|