Ben's example is more akin to my own variation: When you have a
nail to drive, every tool becomes a potential hammer.
David Gillett
On 5 Jun 2001, at 5:34, patrick kerry wrote:
> If your only tool is a hammer than every problem
> becomes a nail.
>
>
>
>
> --- Ben Nagy <[EMAIL PROTECTED]> wrote:
> > > -----Original Message-----
> > > From: Michael Batchelder
> > [mailto:[EMAIL PROTECTED]]
> > > Sent: Saturday, June 02, 2001 1:03 PM
> > > To: [EMAIL PROTECTED];
> > [EMAIL PROTECTED]
> > > Subject: Re: Penetrating a NAT
> > >
> > > > [Steve Riley]
> > > > Some "security experts" claim that NAT could be
> > used as a firewall
> > > > (or let's say, some means of hiding the internal
> > network).
> > > >
> > > >>[Michael Batchelder]
> > > >>No security expert I know would assert such a
> > thing. If they did,
> > > >>I'd give their title an instant expertectomy.
> > > >
> > > > [Ben Nagy]
> > > > D'oh. Guess I was never an expert, then.
> > [...]
> > > > My claim remains that NAT can provide about as
> > much protection as
> > > > a dumb stateful packet filter.
> > >
> > > I was taking issue with the part of the sentence
> > that said
> > > "NAT could be
> > > used as a firewall". That is not, at face value,
> > equivalent to the
> > > above
> > > statement you subsequently made that "NAT can
> > provide about as much
> > > protection as a dumb stateful packet filter", even
> > with the posit that
> > > you and Steve both made that the NAT
> > *implementation* "not allow
> > > connections from the outside".
> >
> > People use dumb stateful packet filters as firewalls
> > all the time - standard
> > IOS ACLs and ipchains being the worst offenders.
> >
> > What _I'm_ taking issue with is people (and don't
> > take this as a personal
> > insult) making knee-jerk remarks about the security
> > or otherwise of certain
> > solutions which are, IMNSHO, wrong.
> >
> > I hear that NAT one quite a lot. I haven't yet
> > recanted on my claim above,
> > and I've made it a lot of times. I would hate to
> > think that somewhere out
> > there is someone who read all the rhetoric that flew
> > around on this thread
> > and decided that I was a moron and knew nothing
> > about security.
> >
> > Let me be frank - NAT _can_ be used as a firewall.
> > Take a good look at a PIX
> > one day. Sure, it does some tricks, but the core of
> > the device is built for
> > NAT. Although I always use filters for IOS
> > "firewalls", they're only there
> > as defense in depth, double-check type things and
> > don't really add anything
> > to the security.
> >
> > [...]
> > > Now, if you want to add another
> > > posit/given/assumption/whatever that the
> > > NAT *implementation* also groks multi-connection
> > protocols like FTP,
> > > then you've essentially created a stateful packet
> > filter. If you add
> > > this posit, his and your statements become
> > equivalent, and I
> > > agree with
> > > you that you get the same effect as a "dumb
> > stateful packet filter".
> > > But that's going very far afield to *define* all
> > that as NAT, and I
> > > would then disagree with you on that semantic
> > point...
> >
> > I don't actually care much for active FTP, so I'm
> > happy to have my imaginary
> > site use passive FTP and not know about real FTP.
> > It's more secure that way,
> > anyway.
> >
> > > Moreover, my post was arguing (perhaps not
> > explicitly enough) in
> > > practical terms against using NAT in this way, as
> > a matter of Expert
> > > Security Guy practice. If you had clients to
> > firewall, and your
> > > customer's only requirement was for them to be
> > protected
> > > while only they
> > > initiate connections, would you take your Check
> > Point, PIX,
> > > or whatever,
> > > and simply set up the many-to-1 NAT, an
> > any-any-any-permit
> > > rule, and be
> > > done with it?
> >
> > Uh, a PIX is a bad example - that's actually exactly
> > what you'd do. 8)
> >
> > Your point, however, is perfectly valid and quite
> > correct. Defense in depth
> > is a good principle for this sort of thing. Bear in
> > mind, though, that the
> > whole point of defense in depth is to cover you
> > against things that "can't
> > happen" in theory. That makes defense in depth just
> > as important whether
> > your primary barrier is NAT or a FW-1.
> >
> > [...]
> > > IOW, you may
> > > be able to drive nails with your forehead, a dead
> > cat, or last month's
> > > half-eaten baguette, but why not use the hammer
> > lying next to you?
> > >
> > > Michael
> >
> > Sometimes all you have is that cat.
> >
> > A realistic and accurate assessment of the security
> > of any solution is
> > critical. Anti-NAT propaganda makes it less likely
> > that assessments will be
> > accurate. This is me saying that NAT is very secure
> > - it's me saying that
> > it's more secure than many people claim.
> >
> > Cheers,
> >
> > --
> > Ben Nagy
> > Network Security Specialist
> > Marconi Services Australia Pty Ltd
> > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> > -
> > [To unsubscribe, send mail to
> > [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year! http://personal.mail.yahoo.com/
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
