> -----Original Message-----
> From: Reckhard, Tobias [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 23 February 2001 3:56
> To: Firewalls Mailing List (E-mail)
> Subject: RE: To NAT or not to NAT?
>
>
> Cheers, Ben. <raises glass>
>
> > > NAT definitely does not add *fine* security. IMHO, it doesn't
> > > help you any
> > > more than a stateful packet filter.
> >
> > I'd argue that, in theory, it also doesn't help you any
> less. I'm more or
> > less happy to use just NAT for low threat sites. I usually configure
> > filtering rules as well, but they're only there to keep me
> in the habit.
> >
> True, to perform NAT you need to do the same as in a stateful
> packet filter,
> so they're pretty much equal in potential protection.
> However, what is more
> important than the technology itself is how it is
> implemented. [...] I would still place filtering rules on the outside
> interface, no
> matter what. Maybe that's overdoing it, I dunno, but it makes me feel
> better--is that already on the same level as the warm fuzzies the
> pointy-heads get?
I must admit, I always filter as well. I should probably qualify my own NAT
opinions - I've only ever used Cisco NAT. It's still vaguely buggy in some
areas, but they've been doing NAT for a DAMN long time now, and I'm pretty
happy with it overall.
> And I am rather suspicious that the post that set this thread
> off is talking
> about a "NAT as the only form of security" approach, with a
> configuration of
> the sort I describe above.
"Anything out" is a reasonable security posture for lots of places - for
example, I think IT businesses with a consulting arm etc should have that
sort of policy, with internal firewalls to protect critical bits. We don't,
for example, and it sucks pretty badly when I need to test things.
[...]
> Add to that
> that ALGs are often written with security in mind, while that
> can't be said
> of NATs,
Depends on the implementation, I guess. I agree that many NAT devices aren't
neccessarily security focussed.
[...]
> I don't
> generally favour the
> one-box solution, so I try to design firewall systems with
> choke routers
> (aka paket filters) and separate ALGs (on 'hardened' hosts
> with packet f
> iltering, etc. in place) in one or more DMZs.
Yeah - that's my favourite architecture as well. Too bad it's not a
"commercial reality" for many places. The only way you can build decent,
multi-box systems at the moment is with free software, and the lack of
support rules it out for too many enterprises. Single person support, or
even single-large-organisation is not enough to hang a business on (they
claim).
Have I ranted recently about how I want someone to pony up VC for a company
that packages best-of-breed open source solutions and teams it with real
support? Maybe we can buy djb, Darren Reed and Theo. ;)
I can see it now... A few nice 1RU servers, whack in a few DMZs, have a nice
security zone model, djbdns, postfix, some bridge-mode snort sensors,
ipfilter to taste - we can even throw in Paul Robertson's idea about running
all HTTP access as VNC sessions to a hardened browsing host to stop HTTP
trojans. Then we support it all with a high level policy language and an
object-modelled control paradigm, running over OpenSSH links for external
support and monitoring.
Wait - I'm dreaming at work again!
Oh, I should toss in a "really, really NOT the opinions of my employer"
disclaimer about here. ;)
> This may be
> overkill for a
> small shop, in which case I'd probably use OpenBSD or Linux on an x86
> platform and use packet filtering in conjunction with ALGs.
I will not use Linux for anything to do with security. OpenBSD for me -
FreeBSD or Solaris in a pinch.
[...]
> > None of your arguments support your conclusion here, sorry.
> You may as
> > well
> > say that stateful filtering is a weak element of security.
> >
> > Of course, if you _are_ saying that, I apologise, and agree.
> >
> Well, I'm not saying that flat out. I am of the opinion that
> SPF/NAT alone
> does not provide the level of security I prefer. [...] I may have
> gone over the edge or at least rather close to it in my last
> post, but this
> is the reason I advise against NAT as a (or often the only)
> security measure
> when newbies ask about it.
Fair enough. I think the only point I'd make (as I've said before) is that
not everyone needs real security. As long as they have made an _informed_
risk-based decision, I'm happy.
>
> > I'm not picking on you here,
> >
> And you don't sound it.
Yeah, I'm being extra-nice for a while after I offended that Cisco chap a
while back in the IPSec / NAT thread. >;)
[...]
>
> In any case,.. um.., yeah, that's it.
>
> Tobias
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
