Re: Where NAT disenfranchises the end-user ...
Roeland Meyer <rmeyer@mhsc.com> writes:
|> From: Jared Mauch [mailto:jared@puck.Nether.net] |> Sent: Sunday, September 09, 2001 2:49 PM
|> Let me reprhase my inital statement, "In most cases i've seen |> where someone is using NAT it's part of a security policy and not due |> to lack of available address space".
Jared, those whom depend on an accident, for security, deserve what happens when the accident undoes itself. I was just over on www.netcraft.com, checking out their stats for the CodeRed worm. I was amazed at how fast IIS admins responded by applying the patches. If NAT were suddenly "fixed", any incidental security is toast. NAT was never designed for, and was never intended as, a security method. Any current protection is strictly the result of a side-effect. The side-effect that breaks the internet connection. It's a result of the connection being broken. A properly built firewall is much more effective and definitely more deterministic. Neither is it vulnerable to a "fix patch".
I don't understand what kind of "fix patch" you're talking about here...NAT uses the same techniques that a stateful firewall uses; if you can find some kind of "fix patch" to bypass NAT, chances are excellent it will work on a stateful firewally, too. I've actually seen the question of how NAT breaks the Internet more than a good stateful firewall come up more than once, and haven't really seen a satisfactory answer. Where does a stateful firewall configured to only allow outgoing connections work that NAT doesn't? I ask not to drag this discussion on, but because I use NAT for address conservation and security on a couple networks that I operate, and am curious if I'd be much better off with something different... -----ScottG.
On 10 Sep 2001 13:29:58 -0400 Scott Gifford <sgifford@tir.com> wrote:
I've actually seen the question of how NAT breaks the Internet more than a good stateful firewall come up more than once, and haven't really seen a satisfactory answer. Where does a stateful firewall configured to only allow outgoing connections work that NAT doesn't?
in the case of IPSec, the IP addresses need to be preserved end-to-end as part of the whole security scheme. richard -- Richard Welty Averill Park Networking rwelty@averillpark.net 518-573-7592
At 13:47 10/09/01, Richard Welty wrote:
in the case of IPSec, the IP addresses need to be preserved end-to-end as part of the whole security scheme.
True, but ONLY because the Internet Architecture lacks an alternative namespace that could identify the box associated with a given network interface. (The IP address is used in this context to identify the network interface associated with the Security Association). So that's all true today, but is driven by a shortcoming in the Internet Architecture. Ran rja@Inet.org
On Mon, 10 Sep 2001 14:06:14 -0400 RJ Atkinson <rja@inet.org> wrote:
At 13:47 10/09/01, Richard Welty wrote:
in the case of IPSec, the IP addresses need to be preserved end-to-end as part of the whole security scheme.
True, but ONLY because the Internet Architecture lacks an alternative namespace that could identify the box associated with a given network interface. (The IP address is used in this context to identify the network interface associated with the Security Association). So that's all true today, but is driven by a shortcoming in the Internet Architecture.
perhaps, but this doesn't invalidate either his question or my answer to it. this whole discussion is really pointless due to the fact that right this minute, reality sucks, and cannot be instantly fixed by a stupid flame war. richard -- Richard Welty Averill Park Networking rwelty@averillpark.net 518-573-7592
right this minute, reality sucks, and cannot be instantly fixed by a stupid flame war.
Oh so true, and of far wider applicability than the subject at hand. If this mailing list had a FAQ, this should be the answer to most of the questions. Alex Bligh Personal Capacity
On Mon, 10 Sep 2001 20:46:48 BST, Alex Bligh said:
Oh so true, and of far wider applicability than the subject at hand. If this mailing list had a FAQ, this should be the answer to most of the questions.
Q1: What are the common flame wars on NANOG? A1: RFC1918, ORBS/MAPS, ARIN, PI /28s, DSL for business use. Q2: What are some proper ways to configure/run a network? For instance, should I use RFC1910 space to number my routers? A2: See Q1. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
From: "Scott Gifford" <sgifford@tir.com>
I've actually seen the question of how NAT breaks the Internet more than a good stateful firewall come up more than once, and haven't really seen a satisfactory answer. Where does a stateful firewall configured to only allow outgoing connections work that NAT doesn't?
Anywhere the IP address is a part of the protocol, and a proxy for that protocol does not exist. Peer election protocols, replication protocols, etc. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
participants (6)
-
Alex Bligh -
Eric A. Hall -
Richard Welty -
RJ Atkinson -
Scott Gifford -
Valdis.Kletnieks@vt.edu