On Jan 10, 2011, at 4:22 PM, Jeff Kell wrote:
On 1/10/2011 6:55 PM, Owen DeLong wrote:
Nonetheless, NAT remains an opaque screen door at best.
If the bad guy is behind the door, it helps hide him.
If the bad guy is outside the door, the time it takes for his knife to cut through it is so small as to be meaningless.
For a "server" expected to be open to anyone, anywhere, anytime... yes. Otherwise no.
Uh, yes. For a server, it's a transparent hole in the wall.
NAT overload (many to 1), and 1-to-1 NAT with some timeout value both serve to disconnect the potential targets from the network, absent any static NAT or port mapping (for "servers").
No, they don't, really. Once the host becomes compromised via other means, it readily opens whatever necessary holes in the NAT to permit the undesirable traffic in. Additionally, even an un-compromised host may open the needed holes in NAT through processes like 6to4 and Teredo.
RFC-1918 behind NAT insures this (notwithstanding pivot attacks).
Stateful inspection without address mangling does just as much to insure this as NAT. You, like so many others, are confusing the security benefits of stateful inspection with the misapplication of the term NAT.
It is a decreasing risk, given the typical user initiated compromise of today (click here to infect your computer), but a non-zero one.
The whole IPv6 / no-NAT philosophy of "always connected and always directly addressable" eliminates this layer.
No, it doesn't. A good stateful firewall in front of an IPv6 host without NAT does every bit as much to protect it as the NAT box in your RFC-1918 scenario can. The problem is that everyone assumes directly addressable means directly reachable because they've become so ingrained in this world of NAT that they forget that it is possible to implement effective stateful security without it. The big difference between stateful inspection without NAT and with overloaded NAT is that in the overloaded NAT case, it will help hide the bad guy from the audit trails whereas the non-NAT approach does not do so. Owen