North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Donald Stahl
  • Date: Mon Jun 04 21:16:29 2007

I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.
I'll give you root password to a half a dozen directly connected Linux boxes and you still won't be able to get in.

I can give you the administrator password to a Windows machine with file
sharing wide open. If it's behind NAT/PAT, you will not get into it. Period.
The beauty of IPv6 is that Windows can, by default, bind to the Link Local address for file sharing and you still won't be able to get into it but your local network will still work.

The only ways into these machines would be if the NAT/PAT device were
misconfigured, another machine on the secure network were compromised, or
another gateway into the secure network was set up. Guess what? All of these
things would defeat a stateful inspection firewall as well.
No one is saying they won't. What people are arguing is that NAT doesn't get you anything more than a stateful inspection firewall while at the same time breaking a whole lot of other things and introducing unnecessary complexity.

Definitely. So why lie and distory what NAT/PAT actually does do? A large
class of security vulnerabilities require the attacker to reach out to the
machine first, and NAT/PAT stops those attacks completely.
The point is simply that SI does this without the complexity and inanity that is NAT. If you want to deal with it- go right ahead. But the original argument (since we seem to have forgotten) is simply that NAT doesn't get you anything that SI doesn't already provide- while at the same time making everything a lot more complex.

Is a car alarm useless because some professtional theives can disable it? Is
a lock useless because some thieves can pick it? Many exploits only go after
low-hanging fruit, and NAT/PAT stops them.
For the nth time- so does SI- and it does it without the header mangling, complexity and troubleshooting headaches that come with NAT.

No one is denying that NAT works- but it works well because of SI, not because of NAT (in fact static NAT does nothing to stop an attack in any way shape or form).

The question we are asking you is what does NAT get us over and above SI? Because if the answer is nothing- then not having to deal with NAT's shortcomings is reason enough to ditch it in favor of straight forward SI.