On 3/24/14 1:37 PM, "William Herrin" <bill@herrin.us> wrote:
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco <jgreco@ns.sol.net> wrote:
I say this with the utmost respect, but you must understand the principle of defense in depth in order to make competent security decisions for your organization. Smart people disagree on the details but the principle is not only iron clad, it applies to all forms of security, not just IP network security.
The problem here is that what's actually going on is that you're now enshrining as a "security" device a hacky, ill-conceived workaround for a lack of flexibility/space/etc in IPv4. NAT was not designed to act as a security feature.
Hi Joe,
That would be one of those "details" on which smart people disagree. In this case, I think you're wrong. Modern NAT superseded the transparent proxies and bastion hosts of the '90s because it does the same security job a little more smoothly. And proxies WERE designed to act as a security feature.
What kinds of devices are we talking about here? Are we talking about the default NAT on a home network router, or an enterprise-level NAT operating on a firewall? The NAT on home gateways may be a full-cone NAT. This allows easier setup of online gaming, for instance, or other applications where an inbound SYN is required. This provides no security, since as soon as a connection is established, all traffic is allowed. Even restricted cone NATs provide little protection, just a bit of guessing that even a human could manage. If we're talking about an enterprise firewall, then I don't understand--we're talking about a firewall. If it implements a symmetric NAT in addition to a stateful firewall, then it's implementing the same function twice. But, hey, it's your network, if security-through-obscurity is one of your defense in depth layers, that's fine. You may use NPT66 with ULA; that function is defined. Lee