David Schwartz wrote:
Just because it's behind NAT, does not mean it's unreahcable from the internet:
Okay, so exactly how many times do you think we have to say in this thread that by "NAT/PAT", we mean NAT/PAT as typically implemented in the very cheapest routers in their default configuration?
And my $50 Linksys has a "DMZ host" configuration item, as well as configurable port range forwarding entries. 1: "Gee, I want to run this p2p app, and it doesn't work." 2: "Go to http://192.168.1.1 and enter 192.168.1.100 into the DMZ Host" 1: "Great, it works now!"
I can do the same without NAT/PAT. Period. The benefits are from "disallow new inbound by default", *not* address muxing.
That you can do something without NAT/PAT tells you nothing about what NAT/PAT does. Why state an uncontested unrelated point nobody disagrees with when there is an actual live disagreement about what security NAT/PAT does or doesn't provide? (Hint: NAT/PAT, as discussed here, includes "disallow new inbound by default").
Because it was stated the NAT/PAT provides security, and it doesn't. The DMZ host above is still NAT'ed (and the configurable port forwarding ranges are still PAT'ed), but the security "provided by NAT" just went out the window.
Which means that -- tada! -- NAT/PAT isn't giving you anything that the stateful inspection firewall isn't.
That's wonderful, but that's not even remotely respondive to what I'm saying. I'm responding to Owen's claim that NAT/PAT doesn't provide any security, not that it doesn't provide you any security that a stateful inspection firewall doesn't or can't.
But it is correct. Just mangling the addresses in the headers doesn't actually stop anything from getting through, it just means it gets through mangled. The security comes from SI and dropping packets that don't have an active session established from inside, or related.
In order to make (dynamic) NAT work you need to implement SI- that's what protects you. What does NAT get you above and beyond the SI you have already imeplmented?
What does a car get you above and beyond the engine, transmission, starter, and so on? It gets you all those things in one convenient package that you just buy, start, and drive. NAT provides all the advantages its component parts provide. Really.
And in IPv6-land, it will be trivial to build consumer level IPv6 firewalls that has a default of dropping everything inbound, which is what the SI of a dynamic NAT gives you. Exactly the same level of security and a whole lot less breakage. -- Jeff McAdams "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin