Owen DeLong wrote:
On Apr 23, 2010, at 10:16 AM, Matthew Kaufman wrote:
Jack Bates wrote:
Matthew Kaufman wrote:
But none of this does what NAT does for a big enterprise, which is to *hide
internal topology*. Yes, addressing the privacy concerns that come from using
lower-64-bits-derived-from-MAC-address is required, but it is also necessary
(for some organizations) to make it impossible to tell that this host is on the
same subnet as that other host, as that would expose information like which
host you might want to attack in order to get access to the financial or
medical records, as well as whether or not the executive floor is where these
interesting website hits came from.
Which is why some firewalls already support NAT for IPv6 in some form or
fashion. These same firewalls will also usually have layer 7 proxy/filtering
support as well. The concerns and breakage of a corporate network are extreme
compared to non-corporate networks.
Agreed on the last point. And I'm following up mostly because I've received quite a few private messages that
resulted from folks interpreting "hide internal topology" as "block access to internal
topology" (which can be done with filters). What I mean when I say "hide internal topology" is
that a passive observer on the outside, looking at something like web server access logs, cannot tell how
many subnets are inside the corporation or which accesses come from which subnets. (And preferably, cannot
tell whether or not two different accesses came from the same host or different hosts simply by examining the
IP addresses... but yes, application-level cooperation -- in the form of a browser which keeps cookies, as an
example -- can again expose that type of information)
So can TCP fingerprinting and several other techniques.
Finally, the belief that hiding the number of subnets or which hosts share
subnets is a meaningful enhancement to security is dubious at best.
Agreed, but see my own followup to myself. Entirely dubious, and yet
entirely required by audit checklists which feed up into SEC reporting
which affects stock prices.
Matthew Kaufman
