On Tuesday, 2001-06-05 at 09:18 AST, "Cessna, Michael" <[EMAIL PROTECTED]>
wrote:
> Since NAT hides the Internal IP address yet does not limit connections
in any
> way, shouldn't NAT be considered 'Security by Obfuscation'?
The most commonly used form of NAT, namely PAT (aka IP masquerading)
certainly does limit connections. It is basically outbound only.
Let me repost a message I sent in February - some of the folks in this
thread could use the homework:
While there has been some good discussion in this thread, it has sometimes
suffered by differing usage of terms.
I distinguish 3 types of NAT (Cisco, for one, supports all of these):
1. Static NAT
Each internal address is mapped in a fixed configuration to its own
external address. ... However it is only rarely used - usually just for
servers. Any inbound packet destined for external address Xn is mapped to
internal address In and forwarded, regardless of the ports and source
address. This could be implemented in a completely stateless NAT box.
2. Dynamic NAT
Internal machines are unreachable until they attempt an external
"connection". When they do, they are temporarily assigned an external
address. As long as they keep sending to the outside, within some timeout
specification, they own that address. Inbound packets destined to it will
go to the internal machine; while this also could be stateless, but I
suspect most NAT boxes require that "connections" be initiated by the
inside machine before allowing the inbound traffic. This is not very
commonly used either.
3. PAT (port address translation)
Internal machines are unreachable until they attempt an external
"connection". When they do, they are temporarily assigned a port on an
external address (for tcp and udp). Only inbound packets with a source
specification matching the destination of the original outbound traffic
will be mapped and forwarded to the internal machine. This must be
stateful. This method is by far the most commonly used. It does pretty
thoroughly block inbound connections. This is what most of the folks,
other than mouss, seem to be talking about in this thread.
(I use the term "connection" in quotes, because while we really only have
connections for tcp, the NAT box will typically simulate connections for
other protocols such as udp and icmp echo.)
And there are certainly other types of NAT in use which are some
combination of those listed above. A typical example is where all inbound
traffic to port 25 is statically mapped to a single internal address. This
acts like static NAT for that particular port (while all the other traffic
may be using PAT).
It would be helpful if those discussing NAT make clear what type of
translation they are intending. It usually makes a substantial difference.
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
