On Wed, Jan 12, 2011 at 12:16 PM, <valdis.kletni...@vt.edu> wrote: > On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said: >> In a client (rather than server) scenario, the picture is different. >> Depending on the specific "NAT" technology in use, the firewall may be >> incapable of selecting a target for unsolicited communications inbound >> from the public Internet. In fact, it may be theoretically impossible >> for it to do so. In those scenarios, the presence of NAT in the >> equation makes a large class of direct attacks on the interior host >> impractical, requiring the attacker to fall back on other methods like >> attempting to breach the firewall itself or indirectly polluting the >> responses to communication initiated by the internal host. > > Note that the presence of a firewall with a 'default deny' rule for inbound > packets provides the same level of impracticality.
Hi Valdis, There's actually a large difference between something that's impossible for a technology to do (even in theory), something that the technology has been programmed not to do and something that a technology is by default configured not to do. The hacker can't make the equipment do something impossible. He can only go around it, try a different attack vector. To push through something the technology has been programmed not to do, he needs to identify a suitable bug: hard but not quite impractical. As for default configurations... human error is a *major* part of the security equation. Identifying and exploiting configuration errors is a hacker's fertile hunting ground. On Wed, Jan 12, 2011 at 2:35 PM, Owen DeLong <o...@delong.com> wrote: > On Jan 12, 2011, at 9:36 AM, Jack Bates wrote: >> As my corp IT guy put it to me, PAT forces a routing disconnect >> between internal and external. There is no way to reach the hosts >> without the firewall performing it's NAT function. Given that the >> internal is exclusively PAT, the DMZ is public with stateful/proxy, >> this provides protection for the internal network while limiting the >> dmz exposure. > > The corp IT guy is delusional. The solution to the routing disconnect is > map+encap or tunnels. Logical fallacy, ad hominem: the sanity of Jack's IT guy is not at issue. Logical fallacy, straw man: that a security technology failed to close attack vectors it was not claimed to have closed makes no statement as to whether the tech blocked the attack vectors it did claim to block. The only technology which stops all possible network attack vectors is the off switch. Logical fallacy, circular reasoning: to bring your magic tunnels into existence, the firewall must have already been breached. Yet you claim the tunnels allow you to breach the firewall, allegedly proving that the PAT routing disconnect is a no-op. It took you only 17 words to get the trifecta. Congratulations, or something. On Wed, Jan 12, 2011 at 2:09 PM, Owen DeLong <o...@delong.com> wrote: > No, NAT doesn't provide additional security. The stateful inspection that > NAT cannot operate without provides the security. Take away the > address mangling and the stateful inspection still provides the same > level of security. When you'd care to offer a refutation of my explanation (above) of exactly how NAT impacts the security process beyond what the stateful inspection does, a refutation that doesn't involve a bunch of bald assertions, hand-waving and logical fallacies, you let me know. Perhaps the "security expert" you tell me you relied on when formulating your viewpoint could help you out with that? On Wed, Jan 12, 2011 at 2:21 PM, Paul Ferguson <fergdawgs...@gmail.com> wrote: > There is a least one situation where NAT *does* provide a small amount of > necessary security. > > Try this at home, with/without NAT: > > 1. Buy a new PC with Windows installed > 2. Install all security patches needed since the OS was installed > > Without NAT, you're unpatched PC will get infected in less than 1 minute. Hi Paul, That doesn't really prove your point. Owen is correct that any reasonably configured firewall of any type would tend to prevent such infections. The different firewall types don't begin to exhibit a major difference in security effectiveness until you factor in the impact of human error in specific scenarios. Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.comĀ b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004