North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Edward B. DREGER
  • Date: Mon Jun 04 21:18:37 2007

DS> Date: Mon, 4 Jun 2007 16:27:14 -0700
DS> From: David Schwartz

[ snipped throughout ]

DS> I can give you the root password to a Linux machine running telnetd
DS> and sshd. If it's behind NAT/PAT, you will not get into it. Period.
DS> I can give you the administrator password to a Windows machine with
DS> file sharing wide open. If it's behind NAT/PAT, you will not get
DS> into it. Period.

I can do the same without NAT/PAT.  Period.  The benefits are from
"disallow new inbound by default", *not* address muxing.

 N +  S = true
!N +  S = true
 N + !S = invalid state (can't happen)
!N + !S = false

Note carefully how one can simplify the truth table to

 S = true
!S = invalid / false

A "true" outcome depends on the presence of "S".  It is independent of 

DS> The only ways into these machines would be if the NAT/PAT device
DS> were misconfigured, another machine on the secure network were
DS> compromised, or another gateway into the secure network was set up.
DS> Guess what? All of these things would defeat a stateful inspection
DS> firewall as well.

Red herring and straw man.  The argument is: "Does NAT/PAT address-
hiding provide special benefit due to the fact that IP addresses are
being muxed?"  See above truth table.

DS> A large class of security vulnerabilities require the attacker to
DS> reach out to the machine first, and NAT/PAT stops those attacks
DS> completely.

No.  Stateful filtering stops those attacks completely.  NAT/PAT works
merely by its automatic inclusion of stateful filtering, and _ipso
facto_ does nothing.  See above truth table.

Everquick Internet -
A division of Brotsman & Dreger, Inc. -
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses:
[email protected] -*- [email protected] -*- [email protected]
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.