At 13:14 30/05/01 -0700, Steve Riley \(MCS\) wrote:
>Some "security experts" claim that NAT could be used as a firewall (or
>let's say, some means of hiding the internal network).
so we're back again:)
The definitive answer is that the concept of NAT has nothing to do with
security.
Check the IETF working groups and see where is NAT.
The confusion results from the fact that some security results from using NAT.
But one would say the same about routing. If your gateway can't find the route
to a host, then it will reject the packet. so there's some security there:)
But I've
never heard "experts" claiming that routing could be used as a firewall;-P
There are two kinds of security that NAT can provide:
- "Impossible routing": if your NAT can't map the global destination to a
local one,
it ends with a non routable packet that will be rejected.
- Some NAT implementations explicitly reject packets that do not match the
resgistered
mappings. Yes, this provides some level of security. I personally don't
like this since
it is a bad from a software architecture viewpoint. First, I like engines
that do just what
they were designed to do. NAT were designed to convert addresses/ports, so
why is it
doing more? second, you can't stack multiple NAT modules since the first
will drop packets
that are mapped by others. Anyway, this is a personnal opinion, and I won't
take my gun
to defend it:)
In short, you can think of the security provided by NAT as a side effect.
>[much stuff deleted]
the attack you describe is possible with or without NAT, and yes, NAT can
do nothing about it.
This is session hijacking/interception/..... It is hard to guard against,
but it is hard for the attacker too.
(It requires being on the data path, being able to benefit from the attack
without the "normal" host
breaking the connection [so the attacker generally needs to syn flood it],
and so on).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
