(Strictly in the spirit of debate ;)
> -----Original Message-----
> From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 27 September 2000 6:36 AM
> To: Ben Ryan
> Cc: [EMAIL PROTECTED]
> Subject: Re: LinkSys 4-Port Router
>
>
>
> Ben Ryan wrote:
> >
> > From the responses which I agree with on the whole, I don't
> > think any valid reasons have been given as to why a firewall
> > is superior to a NAT box.
>
> Hmmm.. does your NAT box support active FTP out of your
> protected network?
> Wanna bet it's vulnerable to data channel vulnerabilities?
> (i.e. anyone can open any connection to your "protected" computers)
The FTP data channel stuff relies on a user doing something stupid. It can't
be used by an attacker to arbitrarily hack a specific box, unless I've
missed something. Any user that uses a WWW browser can almost certainly be
hacked if they go to a malicious site - and firewalls won't stop it
happening.
This does not illustrate why dynamic NAT is worse than a FW.
>
> Does your NAT box handle these new flashy multimedia protocols
> that open streams in all directions? Wanna bet their exploitable
> too?
It's likely that a "simple" NAT implementation won't support scary
multimedia guff, since it's a pain to code.
>
> How well does your NAT box handle connection closing? If you open
> a connection out through the NAT, can I then, as the recipient, keep
> it open after your computer thinks that it's closed, and start
> sending SYNs back in through the NAT device and wait until some
> RPC service or something starts listening on that port?
Assuming we're talking about an arbitrary, theoretical NAT box - it handles
it fine. My coders were (just) bright enough to realise that the connection
should get pulled out of the state table after seeing a FIN from either
side. How hard is that?
>
> Does your NAT device correctly block firewalking attempts?
Firewalking doesn't work on dynamic NAT.
> On portmapped servers behind the device?
Portmapped servers only have the service ports mapped. Since these ports
_are_ actually open I don't consider the fact that someone can work out that
they're open to be a threat.
> Back through dynamically opened connections to the outside?
Ditto - these ports are actually open. If you can spoof the correct source
IP address and port within the window of the connection being open then
you've got me. ARgh! Ow! (falls off roof)
>
> Can your NAT device LIMIT what kind of traffic that you can
> send to the outside world? If you've got a trojan sitting
> on your network (received through mail, whatever) it'll
> likely try to communicate with the outside world. If your
> firewall can block and alarm that traffic, you've bought
> yourself time.
How many people do this? The firewall is to keep bad guys OUT, right? We
don't have any bad guys INSIDE our network! That's unpossible!
>
> Does your NAT device do audit logging, so that you have
> some sort of chance of detecting suspicious behavior?
Yes. It does. Nyah!
> No, thought not.
OK, I was lying. Then again, I don't check the failed scans and
kiddie-pounding on my external firewall much, either. I _know_ that those
attacks will fail. Apart from morbid curiosity there's no real reason to
know if it was BO or Netbus today.
>
> ... want me to go on? :)
Sure! Maybe you'll come up with a valid point...;)
>
>
> What it basically boils down to is this:
> If the product wasn't designed for security, top down,
> don't use it for security purposes, if you security
> is what you need.
I do tend to agree, I'm just arguing theory here to try and get a better
risk assessment of NAT as a technology out in the open. I'm not comfortable
with the assumption that it's not a firewall and therefore you're criminally
negligent if it's all you're using.
> A generic "NAT device" is designed for functionality,
> not security. Believe me, I know. I've ripped the guts
> out of more than one of those boxes.
Hm. We're getting into assertionville - I can't argue with that...
[snip]
>
> ... This ofcourse assumes that you need "security".
> If you're a Joe User sitting at home, a NATting box
> is probably gonna get you all security that a "real"
> firewall would, since Joe User is going to click
> on any .exe file he gets in his inbox, as long as
> it is "porn.exe" or "fun.exe", or whatever.
Yes. Except I would extend this to lots of places that don't actually have a
heavy-duty threat model to consider. Even places that _are_ under threat
might have limited exposure and therefore decide to make an (accurate) risk
assessment which states that NAT is enough.
>
>
> Hmm.. wonder if there's a market for "Pavlov Firewalls";
> zap the user with a quick 1000-volt shock every time
> they do something stupid. [snip]
Sounds like it would solve the Layer 8 security problem pretty fast. ;)
>
> /Mike
> ... only 1500 more mailing list messages to go before
> I've caught up with my two-week break. Eww.
OK - imagine two networks. The internal users in both surf the web through a
secure proxy server, use active FTP and send email. The network contains a
mail server which is open to the outside world.
One is using dynamic NAT with an SMTP port map. I get to posit that the NAT
box is coded "correctly" - but it does no logging. One is protected by nine
different firewalls in series with logging, NIDS and flashing lights. You
can pick whatever firewalls you want.
Show me how the first network is easier to hack.
Cheers!
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
