RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
I posit that a screen door does not provide any security. Any is too strong a word. For people living in an area with malaria-carrying mosquitoes, that screen door may be more important for security than a solid steel door with a deadbolt. It all depends on what the risks are, what you are protecting, and where your priorities are. It is rather odd to see this discussion just a few weeks after the IETF issued RFC 4864 to address just this misconception of NAT. How many of the participants have read the RFC? Assuming vendors of cheap consumer IPv6 gateway boxes implement all the LNP (Local Network Protection) features of RFC 4864, is there any reason for these boxes to also support NAT? As far as I can see the only good reason to put NAT in an IPv6 gateway is because uneducated consumers demand it as a checklist feature. In that case, let's hope that it is off by default and that disabling the NAT does not disrupt any of the other LNP features. That way, when the customer calls the support desk to complain that they are not getting SIP calls from Mom, you can tell them to turn off the NAT and try again. --Michael Dillon
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
The only ways into these machines would be if the NAT/PAT device were misconfigured, another machine on the secure network were compromised, or another gateway into the secure network was set up. Guess what? All of these things would defeat a stateful inspection firewall as well. I disagree. (All of the below is hypothetical, I haven't tested it, but I believe it to be true.) Premise 1: The machines behind the firewall are actually on and functioning, and presumably may be even being used. Premise 2: The OS's on the machines will periodically do *some* kind of traffic. Some common examples might be ntp syncronisation, or DNS resolving of an update service for antivirus, OS patches, whatever. The traffic may be provided by the user actually using the machine for whatever real users actually do. Premise 3: Many NAPT's are of the Cone type. This is desirable for end users as it allows their applications/devices to use their NAPT busting technologys (STUN, Teredo etc) without having to configure static port forwards. Premise 4: The external port chosen for an outgoing protocol is easily guessed. Many NAPT boxes will prefer to use the same port as the original host, or will assign port mappings sequentially a bit of research here would go a long way, presumably entire networks are likely to be using the same NAPT's in an ISP's provided CPE. Thus, for example if you are running a single host behind a NAPT box that is doing regular NTP queries and I can guess the external port on the NAPT box which with a bit of research I suspect is trivial, I can send that port on your external IP a packet and it will be forwarded back to your machine. This could easily lead to a compromise via a buffer overflow or other exploit. This would primarily work for UDP based services that by design tend to be used over the Internet itself such as DNS, NTP, SIP etc. It seems unlikely that this would work against TCP based services. Exploits in ICMP could also be tunneled back through a NAPT box in a similar manner. GRE/IPIP/IPv6/ESP/AH can probably use similar techniques to infect machines behind a NAPT box (Disclaimer I don't know those protocols very well, but on the flipside, I suspect that NAPT boxes don't know them very well either and do dumb things with them like forward all GRE packets to the one host inside your network that has ever spoken GRE). Just because you've never seen someone exploit through a NAPT box doesn't mean it won't happen.
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
Again, whether the lock/deadbolt come as a package deal with the screen door or not, it is the lock/deadbolt that provide the security, not the screen door. Wow, I don't know what to say. I've never heard of a screen door that came with, and could not work without, a lock and deadbolt. It's totally obvious that you had no intention of implying that typical NAT implementations didn't provide any security. And, by the way, in all of my real examples, it was the actual NAT that provided the security. The Windows machines are behind a device that has but one rule configured in it, and it's a NAT rule. The NAT rule is the only thing that causes the machine to do any stateful inspection at all. That is, one single element provides the NAT and the SI, SI is the means by which the NAT is implemented, and SI is the only way to provide NAT. The device is *NOT* configured to reject inbound by default. Other machines on other parts of my private network *can* reach it through its NAT on its private addresses. Our wireless network, for example, has its own NAT to reach the Internet and its own block of private addresses, but can reach the wired Windows boxes on their private addresses. Yet you *STILL* can't log into my Linux box even with the root password. You still can't access my Windows network shares even with the administrator password. If it was on a public IP address, all other things being the same, it would take you ten seconds to get into it. These machines have never been compromised. All other things being precisely the same, without the private addresses, they would never have lasted. It is simply a fact that private addresses and NAT itself do provide some security. You can get this same security without the private addresses and without the NAT, but that changes nothing. This is the claim you are defending: There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding. So why can't you break into these machines when the only thing stopping you is that they don't have real IPs. There is no other security of any kind in place. There is no reject inbound by default, no firewall rules (except NAT itself). The only stateful inspection is used to make NAT work and is the *implementation* of NAT itself. All I have is the very thing you claim provides no security gain. And it's what's stopping you. DS
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From [EMAIL PROTECTED] Mon Jun 4 13:54:55 2007 Subject: Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Date: Mon, 4 Jun 2007 14:47:06 -0400 On 4-Jun-2007, at 14:32, Jim Shankland wrote: Shall I do the experiment again where I set up a Linux box at an RFC1918 address, behind a NAT device, publish the root password of the Linux box and its RFC1918 address, and invite all comers to prove me wrong by showing evidence that they've successfully logged into the Linux box? Perhaps you should run a corresponding experiment whereby you set up a linux box with a globally-unique address, put it behind a firewall which blocks all incoming traffic to that box, and issue a similar invitation. Do you think the results will be different? Consider the possible *FAILURE* modes. e.g. (1) where somebody brings up _another_ path between the LAN that that box is onn, and the public internet, with no translations or other protections whatsoever. (2) where the 'protection box' fails open -- e.g. passes all traffic without modification. NAT/PAT is 'belt and suspenders', but it *does* provide an additional layer of protection, _if_the_primary_protection_fails_. That 'additional protection' may or may not be 'significant', depending on one's viewpoint.
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote: *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site? Correct. There's nothing you get from NAT in that respect that you do not get from good stateful inspection firewalls. NONE whatsoever. Argueably the instant hit of IP source anononymity you get with NAT is a security benefit (from the point of view of the user). Of course these days there all sorts of fragment and timing analyses that will allow you to determine origin commonality behind NAT, but it's nowhere near as convenient as a public IP address. A non-NAT stateful firewall can't simulate that, you need high-rotation dhcp or similar to get close. Although IPv6 privacy addresses rock :-) The argument can go either way, you can spin it as a benefit for the network operator (wow, user activity and problems are now more readily identifiable and trackable) or you can see it as an organisational privacy issue (crap, now macrumors can tell that the CEO follows them obsessively). NAT is still evil though, the problems it causes operationally are just plain not worth it. -- Colm MacCárthaighPublic Key: [EMAIL PROTECTED]
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On Mon, 04 Jun 2007 12:20:38 PDT, Jim Shankland said: I can't pass over Valdis's statement that a good properly configured stateful firewall should be doing [this] already without noting that on today's Internet, the gap between should and is is often large. Let's not forget all the NAT boxes out there that are *perfectly* willing to let a system make an *outbound* connection. So the user makes a first outbound connection to visit a web page, gets exploited, and the exploit then phones home to download more malware. Yeah, that NAT *should* be providing security, but as you point out, there's that big gap between should and is... :) pgpOXUqCTf010.pgp Description: PGP signature
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On Monday 04 June 2007 13:54, [EMAIL PROTECTED] wrote: On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said: *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site? Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly configured stateful *non*-NAT firewall should be doing for you already. Cool, then I need four of these firewalls, and two Class-C (512) worth of IP space that works behind my current ISP at no more than $39.95 each (my basic price for a Dlink, Netgear, etc cable/dsl router with NAT) with no additional cost to my monthly internet - and I will start switching over networks... Yes, I am joking, but the point being that _currently_ NAT serves a purpose; is supported by lots and lots of little boxes that customers can plugin, configure, and be on the net quickly and easily without having to know about all the firewall related stuff; and _does_ do all those neat stateful things for people that have absolutely no interest in knowing about much less learning how to make work. While I agree with the principle being discussed, would that many, many, many more cable in particular and dsl customers of Insert-Name-of-Large-ISP had such NAT boxes installed and maybe the rest of us would not be getting quite so much spam from hacked cable/dsl/whatever machines... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote: Owen DeLong [EMAIL PROTECTED] writes: There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding. This is one of those assertions that gets repeated so often people are liable to start believing it's true :-). Maybe because it _IS_ true. *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site? Correct. There's nothing you get from NAT in that respect that you do not get from good stateful inspection firewalls. NONE whatsoever. Sorry, Owen, but your argument is ridiculous. The original statement was [t]here's no security gain from not having real IPs on machines. If someone said, there's no security gain from locking your doors, would you refute it by arguing that there's no security gain from locking your doors that you don't get from posting armed guards round the clock? DS
Security gain from NAT (was: Re: Cool IPv6 Stuff)
[EMAIL PROTECTED] writes: Let's not forget all the NAT boxes out there that are *perfectly* willing to let a system make an *outbound* connection. So the user makes a first outbound connection to visit a web page, gets exploited, and the exploit then phones home to download more malware. Yeah, that NAT *should* be providing security, but as you point out, there's that big gap between should and is... :) I will happily (well ...) further concede that NAT does not provide *absolute* security. Let me be the first to mention that NAT provides precisely zero protection against: Hey, kids, just download and run this .EXE to see a cute cartoon of Santa dancing with a polar bear :-). Jim
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
JS Date: Mon, 04 Jun 2007 12:20:38 -0700 JS From: Jim Shankland JS If what you meant to say is that NAT provides no security benefits JS that can't also be provided by other means, then I completely What Owen said is that [t]here's no security gain from not having real IPs on machines. That is a true statement. Moreover... Provider: We're seeing WormOfTheDay.W32 from 90.80.70.60. Downstream: That's our firewall. Provider: Chances are you have one or more compromised hosts behind your firewall. Downstream: But we have 150 workstations. How do we find which one(s)? Bonus points for finding downstreams who understand NIDS, monitor port, state mapping tables, et cetera. :-) In the big picture, I submit that NAT *worsens* the security situation. Of course, the cost falls to other people -- a topic that inevitably launches a protracted thread. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
On Jun 4, 2007, at 1:41 PM, David Schwartz wrote: On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote: Owen DeLong [EMAIL PROTECTED] writes: There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding. This is one of those assertions that gets repeated so often people are liable to start believing it's true :-). Maybe because it _IS_ true. *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site? Correct. There's nothing you get from NAT in that respect that you do not get from good stateful inspection firewalls. NONE whatsoever. Sorry, Owen, but your argument is ridiculous. The original statement was [t]here's no security gain from not having real IPs on machines. If someone said, there's no security gain from locking your doors, would you refute it by arguing that there's no security gain from locking your doors that you don't get from posting armed guards round the clock? Except that's not the argument. The argument would map better to: There's no security gain from having a screen door in front of your door with a lock and dead-bolt on it that you don't get from a door with a lock and dead-bolt on it. I posit that a screen door does not provide any security. A lock and deadbolt provide some security. NAT/PAT is a screen door. Not having public addresses is a screen door. A stateful inspection firewall is a lock and deadbolt. Owen smime.p7s Description: S/MIME cryptographic signature
