On Mon, Feb 19, 2024 at 6:02 AM Howard, Lee <leehow...@hilcostreambank.com> wrote: > Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are > configured so that once there is an > outbound flow, and inbound datagram to that address+port will be forwarded to > the inside address, regardless > of source.
Hi Lee, Yes, they do that to help with NAT traversal. This allows two hosts behind separate NATs to establish direct communication with the help of an external server in the establishment phase. The flip side is that your internal hosts are limited to 65k established connections between them or the firewall exhausts its available ports. Without full cone, the number of translations that NAT can do is bounded only by its available RAM. > NAPT just increases the size of the space to scan: just dump your crafted > packets to every address > + every port at your target. Not quite. Full cone slightly reduces NAT's positive security impact. But only slightly. An external source can poke at an internal host on the specific port where the internal host has established an outbound connection, but it can't poke the internal host on any other ports where services might actually be running and waiting for connections. > FWIW, the other enterprise IT security hole I often see: if your VPN is > IPv6-unaware, but your users have IPv6 > at home (like most in the U.S.), your VPN is now split-tunnel, regardless of > policy. You may think all your > packets are going through the VPN to be inspected by the corporate firewall, > but any web site with IPv6 > (about half) will use the local residential route, not the VPN. Yep. Folks who built their security for remote users around the idea of preventing split-tunnels have done the job so very wrong. Another fun thing you can do in Linux is run the VPN software inside a network namespace. The VPN happily takes over the namespace and any software you run inside the namespace, but the rest of the host remains on the public Internet. You can also run the VPN in a VM that shares mounts and clipboard with the host. Regards, Bill Herrin > > Lee > -- William Herrin b...@herrin.us https://bill.herrin.us/
