On Tue, Nov 15, 2011 at 3:16 PM, Jay Ashworth <jra@baylink.com> wrote:
You can seek layers from other sources but a shallow security process will tend to be easily breached. But mounting *that* attack requires insider knowledge of 4 or 5 layers of extra information which will be necessary to exploit such an attack.
My estimation is that that makes that layer of your defense in depth "thicker" than some other layers might be.
Security in depth is a proper approach, but NAT is not a security control, and NAT does not make the firewall defense "thicker" The maginot line was "thick". Before you can properly consider your layers of defense to have a certain thickness, you have to consider types of attack, and whether your changes actually make the layers they defeat any thicker. Now... what would you say is the most common way of defeating a properly implemented firewall? (1) The attack follows _allowed_ paths through the firewall, for example, the attack comes through a port forward that has been configured on the firewall with an ACL that is open too wide. Or, the attack is against a legitimate user's outbound connection, for example: a user behind the firewall connects to a web site, a vulnerability in their browser is exploited to install a trojan -- the trojan tunnels to the attacker over an outgoing port that is allowed on the firewall. And (2) The intruder compromises the firewall and gains control of it. In the case of (1), NAT does not add any "thickness" to the security model, the workstation behind the firewall has full knowledge of its own private IP addressing. The only way you will use NAT to effectively hide information is if the compromised machine is not privvy to the IP network addressing of the sensitive resources. In the case of (2), NAT does not add any thickness to the security model, because the attacker gains knowledge of the Firewall's entire configuration. This is a reason a network with truly sensitive resources where integrity is the greatest security objective should often have multiple separate Firewall units made by different manufacturers administered independently by different groups of security admins; an outer firewall in between the Internet and the DMZ, a second firewall in between the DMZ and the Internal network, and a third firewall in between the Internal network and say the SCADA control network. -- -JH