[ale] OT move to new Colo that wants to use NAT

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 10 12:00:47 EST 2008


On Mon, 2008-11-10 at 11:34 -0500, Jim Kinney wrote:
> I have always viewed NAT as a "Security through obscurity" TCP/IP
> process. It is not a good idea to view NAT as a security practice but
> as a way to gang up multiple unroutable IP's onto a single routable
> address.

	See, that's what NAT was designed for.  Mapping multiple addresses onto
a single public address.  Considering the number of very valuable
perfectly legitimate protocols (like SIP and IPSec amongst many) it
broke in the process (now requiring helper protocols, proxies, specialty
modules, new encapsulations, etc, etc), it's hard to credit it with
doing a very good job of that.  Be that as it may, it was NEVER designed
as a security product or really very much designed with security in
mind.

	There was a hack a while back that allowed someone to spoof a packet (I
think using source routing - another security plague) that ended up on
the NAT device that was then delivered to the private broadcast address.
Now, there was some legitimate debate back then about if that was an
implementation flaw, a bug, or a legitimate feature.  Just the fact that
the discussion even took place tells you that NAT was not designed with
security in mind.  It still isn't and the flaw in many NAT products that
facilitates the Kaminsky flaw illustrates that.  The NAT devices are
working perfectly fine and yet they negate security measures taken on
boxes behind them.

	NAT for security is using a hammer to drive a screw.  When all you have
is a hammer, all your problems looks like a nail.

> Security is a process, not a product.

	Absolutely.  Part of that process is examining things critically and
not merely accepting the common wisdom, as well.

> On Mon, Nov 10, 2008 at 11:25 AM, Jim Popovitch <yahoo at jimpop.com>
> wrote:
>         2008/11/10 Michael H. Warfield <mhw at wittsend.com>:
>         
>         >  NAT provides no security that isn't present in a stateful
>         firewall.
>         
>         
>         So NAT does provide some level of security?
>         
>         I think you are making my point that NAT is a level of
>         improved
>         security over a situation of no firewall and publicly
>         accessible IPs
>         (common colo situation).
>         
>         
>         -Jim P.
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org
>         http://mail.ale.org/mailman/listinfo/ale
>         
> 
> 
> 
> -- 
> -- 
> James P. Kinney III               
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20081110/a272c1b0/attachment.bin 


More information about the Ale mailing list