On Apr 23, 2010, at 10:16 AM, Matthew Kaufman wrote: > Jack Bates wrote: >> Matthew Kaufman wrote: >>> But none of this does what NAT does for a big enterprise, which is to *hide >>> internal topology*. Yes, addressing the privacy concerns that come from >>> using lower-64-bits-derived-from-MAC-address is required, but it is also >>> necessary (for some organizations) to make it impossible to tell that this >>> host is on the same subnet as that other host, as that would expose >>> information like which host you might want to attack in order to get access >>> to the financial or medical records, as well as whether or not the >>> executive floor is where these interesting website hits came from. >>> >> >> Which is why some firewalls already support NAT for IPv6 in some form or >> fashion. These same firewalls will also usually have layer 7 proxy/filtering >> support as well. The concerns and breakage of a corporate network are >> extreme compared to non-corporate networks. > Agreed on the last point. And I'm following up mostly because I've received > quite a few private messages that resulted from folks interpreting "hide > internal topology" as "block access to internal topology" (which can be done > with filters). What I mean when I say "hide internal topology" is that a > passive observer on the outside, looking at something like web server access > logs, cannot tell how many subnets are inside the corporation or which > accesses come from which subnets. (And preferably, cannot tell whether or not > two different accesses came from the same host or different hosts simply by > examining the IP addresses... but yes, application-level cooperation -- in > the form of a browser which keeps cookies, as an example -- can again expose > that type of information) > So can TCP fingerprinting and several other techniques.
Finally, the belief that hiding the number of subnets or which hosts share subnets is a meaningful enhancement to security is dubious at best. Owen
