> -----Original Message-----
> From: Reckhard, Tobias [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 22 February 2001 7:06
> To: Firewalls Mailing List (E-mail)
> Subject: RE: To NAT or not to NAT?
>
>
> > NAT, as a concept, offers fine security.
> >
> NAT is a connectivity concept. The added security is a
> side-effect. IMHO,
> NAT definitely does not add *fine* security. IMHO, it doesn't
> help you any
> more than a stateful packet filter.
I'd argue that, in theory, it also doesn't help you any less. I'm more or
less happy to use just NAT for low threat sites. I usually configure
filtering rules as well, but they're only there to keep me in the habit.
> > If you can't route to the internal
> > network, you can't reach the internal network.
> >
[...]
> both need special code to
> handle non-NAT-friendly protocols, such as FTP, etc. That's
> the first place
> that's compromisable.
But that's not an argument against NAT - it's an argument against bad code.
FTP is always going to be a stupid protocol, and people are always going to
have to do stupid things to get it to work. FTP has led to people making
errors in NAT, packet filters and ALGs.
> Additionally, most of the time NAT is
> performed on the
> firewall itself, which means that the firewall must accept
> packets destined
> to itself. I have a general creepy feeling about that...
You should install more ALG style firewalls, then. ;)
(There's nothing inherently bad about the firewall accepting packets
destined to itself)
> And
> there have been
> examples of NAT implementations being buggy
And SPFs aren't shipped buggy, right? C'mon. I _know_ you know better than
that.
> and subject to
> manipulation from
> the outside. Bottom line: NAT is a weak element of security.
None of your arguments support your conclusion here, sorry. You may as well
say that stateful filtering is a weak element of security.
Of course, if you _are_ saying that, I apologise, and agree.
> > On the other hand, using NAT
> > alone is a little like putting all your eggs in one basket
[...]
> This applies to any firewall
Exactly. Defence in depth.
However, I don't think you've provided any convivcing arguments against the
security of NAT.
[...]
>
> Cheers,
> Tobias
I'm not picking on you here, but this argument has come up a few times
before, and people tend to fire off their "NAT is not secure" opinions
knowing that they're accepted wisdom.
Well, nobody has ever proved it to me, so I _don't_ accept it. ;)
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
