On Mon, Nov 14, 2011 at 2:55 PM, Jay Ashworth <jra@baylink.com> wrote:
The basic assertion made by proponents of this theory, when analyzed, amounts to "the probability that a firewall between a publicly routable internal network and the internet will fail in such a fashion as to pass packets addressed to internal machines is of the same close order as the probability that a DNAT router will fail in such a fashion as to allow people outside it to address packets to *arbitrary* internal machine IP addresses (assuming they have any way to determine what those are)." [snip]
There is really no sound argument made that the probability is inherently any different. When we are referring to security devices failing to do what they are supposed to do, by definition, the correct level of protection has been lost, and you have a serious problem if this happens, regardless of whether your firewall is a NAT device or not. What will be most important is you have solid layers of defense behind the firewall, such as host security, IDS units, monitoring, and scanning regimes to detect the failure of the firewall function. The security appliance has failed, and all bets may be off. It should be noted, that "detecting" a failed simple firewall with a straight port scan is a much simpler more easily automatable process than detecting a failed 1:many NAT firewall. The ease of detecting the problem lowers the chance that you have a problem. The potential security failure modes of a 1:many NAT firewall are much more complicated than "simply pass packets it's not supposed to pass"; the quirks of the flaw mean that with a NAT firewall, it is likely the failure of the firewall function will go undetected by the security admin, resulting in a situation where you have an insidious problem... that is, a problem that is not obvious, but definitely exploitable to a determined attacker. Failure modes such as a "an intruder compromised the firewall" and injected a trojanned firmware result in equal risks regardless of whether NAT is implemented or not. -- -JH