On Nov 15, 2011, at 6:07 PM, Karl Auer wrote:
On Wed, 2011-11-16 at 12:20 +1100, Mark Andrews wrote:
You are making assumptions about how the NAT is designed. [...] Unless you know the internals of a NAT you cannot say whether it fails open or closed.
Indeed not!
From 2010, during an identical discussion:
http://seclists.org/nanog/2010/Apr/1166
To me, "fail" means that a system stops doing what it was designed to do. The results are by definition undefined. Others seem to think that "fail" means a kind of default.
Red herring alert. Fact, any given system has failure modes that are more common and failure modes that are less common. Sure, your car can fail by having the engine explode. However, this is nowhere near as common as having your car fail due to a flat tire or a clogged fuel filter. Arguing that flat tires and clogged fuel filters are some form of default is absurd, but, when discussing automotive failures, the discussion will naturally focus more on these failures than on engine explosions. Such has been the case here. The most common failure modes for firewalls are failures due to misconfiguration and/or failures due to loss of configuration information. Some misconfigurations are more common than others. A proper firewall will address most of these failures by no longer forwarding packets. In this case, a router with NAT is slightly more likely to fail closed than a router without NAT. However, a firewall without NAT is more likely to fail closed than a router with or without NAT and equally likely to a firewall with NAT. In other words, NAT doesn't really improve anything, but, the difference between the common failure modes of a firewall vs. a router are worthy of consideration. The infinitesimal advantage of NAT if you use a router instead of a firewall to perform the duties of a firewall is dramatically overshadowed by the costs and damage done by NAT. OTOH, routers, being designed primarily to forward packets and having security appliance features added as a secondary capability will, in many cases, address most of these failures by passing packets which would not be permitted if properly configured and/or functioning. Yes, they are identical and NAT makes no meaningful difference to the chances that undesired packets will be forwarded in the event of a catastrophic failure outside of these more common failure modes. Owen