Hey. On 14/11/2011, Jimmy Hess <mysidia@gmail.com> wrote:
In other words, your use of RFC1918 address space alone does not create security.
I had this crazy idea that somewhere in the rfcs was a "should" that manufacturers block private address space (i.e. hard coded) but it's not (in fact the opposite). Obviously there's shoulds for nocs and isps. Regardless, you're exactly correct.
Your RFC1918 network actually _does_ need isolation separate and apart from the address space, for you to have reliable security, you still need a firewall, proxy, or NAT device of some form,
Pardon me but that's not axiomatic. This is where the flames come right? Between me and you there's X machines that route packets (and have layer four services - yes I'm a TCP/IP model guy). There's no separate firewall machines, no security postured proxies, no NATting. These routers pass packets happily and don't influence my security or the security of the other routers at all. Obviously there are plenty of other critical machines that don't have proxies or NATting (DNS). Pertinently, they are publicly addressable yet don't have security issues resulting from not having intermediate firewalls or proxies or NAT. The only issues they do have are what all endpoint machines face - poor application (protocol) design (lack of encryption and so on), poor administration, bugs. Of those three, the methodology most readily associated to security is firewalling (packet filtering). A packet addressed to an endpoint that doesn't serve anything or have a client listening will be ignered (whatever) as a matter of course. Firewall or no firewall. If I have a client application open on a port and get incoming from an unsolicited IP then again it will be ignored as a matter of course. Incoming to bogus ports are of course dropped (whatever). Firewall or no firewall. If I do have a port mapped to a service (serving not clienting) then I'm open for business. That's fundamental to TCP/IP and secure. All other security considerations are appropriately handled at layer four. The only reason we firewall (packet filter) is to provide access control (for whatever reason). Access control is a good enough reason to have something called a firewall but everything else is a failure in design. Again though, access control is a failure at protocol design (hence DNS and BGP issues). Firewalling here is a kludge. The only issue that depends on firewalling is ... DoS to preserve bandwidth and that's not an end in and of itself. I posit to you that in the current state of affairs, firewalling a host or network is incredibly useful but entirely superfluous to defending a machine. I think you'd be hard pressed to find any convincing reason to suggest that proxies are any more useful (given good layer four design) from a security perspective. NAT? No. Fundamentally, it's not required or every machine that was publicly addressable would have a NAT machine shoved in front of it and another one shoved in front of that ... Prima facie examples are every publicly addressable machine on the internet. If there was a reason other than address space management then our critical infrastructure would be NATted. The history of NAT tells me I'm right.
... you still need ... ... the private network isolated from the public one ...
No. I apologize in advance if this is too pedestrian (you might know this but not agree with it) but I want to make a point: http://en.wikipedia.org/wiki/End-to-end_connectivity I've got homework to do (read some of that stuff and re-evaluate my position) but NAT has caused nothing but trouble for security practioners and allowed developers to get away with whatever they can ... NAT saved us ... or at least all the moms and dads who don't have good product or good administration.
... you still need ... ... the private network isolated from the public one ...
If this were true then IPv6 was fail. Apart from any push to bring NAT along for the ride, we have a newer IP with the deliberate choice made to make every machine publicly addressable ... and to turn every NAT box into a router only ... and let them route packets (like every other intermediate router) freeing up hosts ... to do host security. To me that was a breath of very fresh air. The only reason to be concerned about this is vendors who make bad choices and for that there's always other vendors. :]
-- -JH
Best wishes.