From: itojun(_at_)itojun(_dot_)org [mailto:itojun(_at_)itojun(_dot_)org]
Its not exactly a surprise, folk seem to place a higher premium on
shooting NAT than anything else. Meanwhile the vast majority of
residential broadband access is behind NAT.
And from a security point I want to see as much NAT as possible.
Without NAT we would be in a much worse situation security
wise than we
are today. NAT is a blunt instrument but it shuts down
connects. And that is such a good thing from the point of view of
stopping propagation of network worms.
a few points. IPv6 technology really needs to be demystified.
you do not have to rewrite IP address to ensure that there's no
inbound connections. you just have to have a packet
watches/drops TCP SYN or whatever alike. if you do not
address space to serve your enterprise, it is a good
reason to use
My point here is that the principal objection being raised to NAT, the
limitation on network connectivity is precisely the reason why it is beneficial.
There is no other device that can provide me with a lightweight firewall for
you have RFC3041
and other tricky systems, your system will have higher
having implementation bugs (violation of KISS principle).
Same can be said of IPv6.
We have a lot of really good ways of avoiding issues we don't like: complexity,
accessibility, limited access in third world countries.
Unless the arguments are applied consistently they should not be made at all.
Otherwise they just become special pleading.
even if you stop all inbound connections, malicious
controls HTTP/whatever servers can inject your end node
any kind of
crufted TCP options, which might cause buffer overflow
As I told Bruce Schneier after his silly IPSEC and Certification Authority
papers, security is risk control, not risk elimination.
It is not helpful to criticise a security measure that empirically offers a
high degree of security for failing to address cases it is not designed to deal
with. An HTTP server behind a NAT box is no HTTP server and thus no threat.
In a full default deny infrastructure I can allow the HTTP server external
access and deal with issues such as HTTP server corruption by requiring the
HTTP server to run in an isolated O/S partition so that compromise of the
server cannot lead to compromise of the host.
spam, phishing and botnet are independent from
presense/absense of NAT.
I can shut down 95% of existing botnets using reverse firewalls. I have yet to
find a legitimate network use with an access pattern that remotely resembles
the access patern of a production botnet.
The approach I propose in the dotCrime Manifesto is that by default the newtork
access point throttles outgoing SYN and DNS requests to some large number that
is well short of the needs of spammers, DDoS SYN flooding etc.
OSes have to be secured by default, that's all.
Linux is ten million odd lines of code. When you have more than a million lines
of code you can be certain that at least 50% of the people working on it were
below average in talent. Vista is ten times bigger.
We simply don't know how to build a secure operating system today.
heavy use of firewall/
NAT have propagated "false sense of security" inside enterprise
The 'security through obscurity' argument is bogus.
Back in the early 1990s people were arguing AGAINST the use of shaddow
passwords in UNIX on the grounds that they give a 'false sense of security'.
I agree that most enterprises have an exagerated idea of what perimeter
security can do for them, but that does not mean that the solution is to drop
all the firewalls. That is not what is being discussed when people are talking
network, and therefore, many of end systems within
enterprise are very
vulnerable to attacks. the most common attack vector
these days are
laptops owned by people like IETFers (goes in and out
or VPN-connected laptops, which carry worms. so, many
end node firewall systems ("fire suit" in the old
if your end node operating systems are secure by
default, you do not
need those end node firewall systems and/or keep
There is no individual security control that cannot be trumped. Host based
security can be disabled if the host is compromised. We don't yet have the
trustworthy systems we need to prevent that attack.
There is no individual security control that cannot be trumped, but we can
deploy combinations of security controls that make it very much harder for an
attacker to succeed.
Ietf mailing list