In message <[email protected]>, Owen DeLong write s: > > On Apr 20, 2010, at 6:34 PM, Karl Auer wrote: > > > On Tue, 2010-04-20 at 12:59 -0700, Owen DeLong wrote: > >> On Apr 20, 2010, at 12:31 PM, Roger Marquis wrote: > >>> NAT _always_ fails-closed > >> Stateful Inspection can be implemented fail-closed. > > > > Not to take issue with either statement in particular, but I think there > > needs to be some consideration of what "fail" means. > > > I believe we are talking about the case where some engineer fat-fingers > a change and Roger's claim is that a stateful inspection without NAT > box will permit unintended traffic while a NAT box will not. > > My claim is that the stateful inspection box can be implemented such > that it has an equally secure set of failure modes for fat-fingering to > a NAT+stateful inspection device.
Especially when the NAT/Router has a enable/disable NAT checkbox. > > Reading through the security alerts from any vendor is a pretty sobering > > process - stuff fails open more often than you might expect. > > > Yep. > > > So I think we should be very cautious about saying that things "fail > > open" or "fail closed". > > > My point is not that they do or do not fail closed, but, that a well designed > SI firewall will fail with the exact same security risks as a NAT device. > > > We should be especially cautious about it when the functionality we are > > interested in is really no more than a happy side effect of some other > > functionality. NAT's "security", to the extent that it exists at all, is > > a side effect of what it is intended to do, which is translate and map > > addresses. > > > IOW, All of NAT's security comes from the fact that it requires a state > table, like stateful inspection. > > Owen > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
