At 09:20 23/02/01 +1030, Ben Nagy wrote:
>I'd argue that, in theory, it also doesn't help you any less. I'm more or
>less happy to use just NAT for low threat sites. I usually configure
>filtering rules as well, but they're only there to keep me in the habit.
Does NAT block an inbound packet going to 10.1.2.3 (assuming this is
a private address). Unless you have an implicit filtering rule, it won't.
I guess that you have a default filtering rule that blocks inbound
packets that are not part of NAT session. In which case, the packet
is blocked by the filter part of the implementation, not by the NAT part.
I'd say that NAT provides 2 security related functions:
1- address hiding
This is the original "subject". It is a security measure, but a weak one.
You can happily live without it.
2- session management
This is the same as using a stateful filter provided you implement the correct
filtering rule (if your vendor is smart, they are implicit, but it's not
always the case)
>But that's not an argument against NAT - it's an argument against bad code.
>FTP is always going to be a stupid protocol, and people are always going to
>have to do stupid things to get it to work. FTP has led to people making
>errors in NAT, packet filters and ALGs.
ftp is certainly one of those protocol you just wanna hit on the head, but NAT
also breaks other protocols (or at least introduces some problems).
In particular, NAT doesn't go well with protocols that use encapsulation
(either
in IP or in UDP packets) or that rely on address authentication.
See RFC3027 (complications of NAT).
While these complications are mostly important when a silly ISP installs a
NAT box
for their clients (which should be prohibited by law!!), and less important
to no important at
all for corporate networks, they are still of some concern in "theory".
RSIP seems to be
a better solution, but we'll have to wait a long time...
>You should install more ALG style firewalls, then. ;)
agreed. Note that some problems that affect NAT also affect ALGs. As an
example,
you can't have as many rlogin sessions that you want (given the priv port
limitation),
whether you use NAT or an ALG.
>(There's nothing inherently bad about the firewall accepting packets
>destined to itself)
agreed.
>[snip]
>I'm not picking on you here, but this argument has come up a few times
>before, and people tend to fire off their "NAT is not secure" opinions
>knowing that they're accepted wisdom.
>
>Well, nobody has ever proved it to me, so I _don't_ accept it. ;)
I'd say that NAT is:
- good for what it was designed for (conversion of addresses to allow
"routability")
- helpful for what it happens to (addr hiding & session mgmt)
- bad for what it breaks (or makes harder)
- unuseful for everything else.
but this applies to anything!
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
