ietf
[Top] [All Lists]

Re: NATs are NOT Firewalls

2003-06-19 01:18:19
At 01:34 AM 6/19/2003, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:

On Thu, 19 Jun 2003 00:55:49 EDT, S Woodside said:
> On Wednesday, June 18, 2003, at 06:28  PM, Tomson Eric ((Yahoo.fr))
> wrote:
>
> > Now, the fact that masking the internal addresses to the external
> > world - so that internal hosts can initiate traffic to the outside,
> > but no
> > external host can initiate traffic to the inside - brings some basic
> > security, is an interesting corollary, but not the primary objective
> > of a
> > NAT.
>
> Is this just security through obscurity, or something better?

Security through obscurity. See Bellovin's paper on enumerating through a NAT.

Maybe YOU should read it, and explain how this is useful for attacking the hosts behind a NAPT box. The technique described in this paper uses variations in the IPid field as evidence of more than one host generating packets. Fine. So you plunk a box just upstream of the NAT box, and now you can determine how many ACTIVE hosts are talking to sites outside the NAPT box.

Since NAPT uses stateful inspection to operate, it only permits packets in to the private network in response to outbound packets. Sitting directly upstream of the NAPT box, you could try spoofing reply packets. This would work equally well for any stateful-inspection firewall.

So what is really at risk, described in Steve's paper? It is possible to determine if NAPT is in use, if the NAPT implementation is insufficiently careful in its handling of the IPid field (and likely most do allow analysis of this sort). In essence, Steve's paper provides useful information for improving NAPT implementations if anyone is worried about having upstreams learn of the presence of a NAPT box.

I reject your contention of NAPT as "security through obscurity."



<Prev in Thread] Current Thread [Next in Thread>