Keith, Whether NAT is a useful discriminator or NOT is rather irrelevant (though I happen to find it a useful one).... the point is the Network Administrator and company security policy IS a useful security discriminator in determining what applications are valuable or not...and THEY can determine whether the benefits of NAT outweigh the costs. NO ONE is arguing that NAT is a useful tool for EVERY network. I'm glad that there will be more alternatives available under IPv6 for people to use. However, that does NOT mean that for many of the people who currently use it that NAT is not currently useful and would not be so in future regardless of the other options available. Just because person X in thier situation finds a particular tool more harmful then helpful is NOT a good arguement for denying the tools use to EVERYONE. Let the people who find the tool useful CHOOSE to use it (and live with the consequences of that choice) and those who don't, don't.
Furthermore, it's definitely NOT special-purpose networks that look to tightly limit the services that traverse the network boundary. That's a pretty significant goal in pretty much all corporate security. My company deals with ALOT of Fortune 1000 clients and almost every one which has had a security review as part of their vendor qualification process MANDATES NAT... not just in the ASP hosting environment...but even in the corporate networks of the vendors they deal with. Most of them even write it into their contracts as a specific contractual obligation of their vendor. If that is not enough, I simply refer you to PCI DSS v1.2. On most corporate networks I've seen...the recommended security standard has become not just DENY ALL IN but DENY ALL OUT and then poke open holes AS REQUIRED. You're other argument doesn't make much sense to me. Yes, NAT protecting the private network from exposure may indeed "mask" the fact that the FW rules have been misconfigured.... in that sense it is doing it's job as a compensating control. I'm pretty sure that almost any network admin is going to be happier discovering that flaw in a routine audit of their FW config rather then discovering it because of an ACTUAL breach....I'm almost certain the business owners who's assets are being protected would be. That's the whole point of compensating controls. Note, when I'm speaking here...I'm really addressing the utility of NAT from the perspective of employing it at the edge of private networks....particularly corporate enterprise or non-profit organization networks. You might label these as "special-purpose" networks...but I really wouldn't. In these instances, the end users do NOT rightfully have the expectation to run any old application they may choose or want and have it work. They are specifically utilizing assets (including the computers they happen to be sitting at) that are NOT owned or controlled by them.... and they are doing so in the capacity as paid representatives of the organization whose assets they are utilizing. Under such circumstances it IS incumbent upon them to use only such applications that are provided and authorized for them by the (tightly controlled) company technology policy.... and if they DO have a need which is not currently being met...the appropriate thing for them to do is to bring it up with the organizations IT department and let the responsible managers there weigh the costs and benefits of various tools and come up with a solution. That's pretty much how things are SUPPOSED to work in the corporate IT world. As has been pointed out to me by some-one.... the issue is far more problematic if your dealing with something like an ISP which is supposed to be providing general purpose connectivity to it's consumers. Under those circumstances, the use of NAT would be far more problematic.... but that is a very different scenario then the one I am describing. Christopher Engel -----Original Message----- From: Keith Moore [mailto:[email protected]] Sent: Monday, November 02, 2009 2:35 PM To: Chris Engel Cc: '[email protected]' Subject: Re: [nat66] Necessity for NAT remains in IPv6 I always find it amusing when a network administrator effectively says "I want to be able to use NAT to cripple my network so that valuable applications cannot run on it". The fact is that NAT is not a useful discriminator between valuable and harmful applications. Whether NAT breaks an application has nothing to do with the legitimacy or utility of that application. In my experience, NAT is detrimental to security because it makes it much more difficult to trace security breaches. In the example you cite where the NAT provides an "insurance policy" backup to a misconfigured firewall, another way to look at what's happening is that the NAT is masking the fact that the firewall is misconfigured -- and perhaps, permitting breaches that would not be permitted were the firewall properly configured. I agree that that NAT can be useful to an ASP in managing the mapping between external address and internal hardware. I see this as a corner case rather than an argument for the general utility of NAT. And in general, if you are running a special-purpose network whose only purpose is to provide a very small and well-identified, specific set of services, NAT might work just fine for you. But most networks aren't like that. The whole idea of IP is to allow a network to support a broad range of services, and NATs are detrimental to that in almost every way. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
