ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NAT/Proxy combinations

2005-08-29 00:31:20
from [Nicholas Staff] [Permanent Link] 

Basically, a NAT is just a simple and general-purpose way 

to  implement 

a proxy.


It does play the role of a proxy nobody has ordered and nobody does
even no it exists. So it does breake security by providing a
proxy that should bo be there in the first place.


I don't understand what you mean here?  NAT is going to have to be the
default gateway somewhere along the route path so whether manually
configured on the client, done via dhcp, or configured on a router, how is
it something that nobody has ordered?  Also it breaks security for whom (I
can see how it makes it tougher for the destination, but it sounds like you
are inferring it breaks security for the network using the NAT?).

I have comments/questions about your other remarks but I want to first make
sure we are talking about the same thing.

Thanks,
Nick



If you define "more secure" as "less likely that random 

packets will  be 

delivered": sure, put in as much stuff that makes everything less  
transparent as you can.


In fact it provides a loophole destroying every attept to 
security from
end to end.



Obviously this won't help against many popular attack 

vectors which  

prey upon the gullibility of the typical user, which mostly 

happen  over 

HTTP or through mail, which don't need a transparent  communication 
channel.


But it provides a great way to break into any established secure link.

Just wait for them to exchange passwords. Break the connection and do
your evil. Dont care any longer and let the connection drop to the
floor. NAT and windows will cope and nobody will ever see a trace in
their logs.



And please don't expect the IETF to make its protocols work 

through  

your multiple layers of NAT and proxies.



NAT was never designed for security. NAT was designed as a loophole.
That loophole has improved greatly over time.

All bad things said I would like to mention that a windows computer
wont stay long in the internet if you dont hide them behind NAT

It really does not make a difference wether you proxy on the NAT or
somewhere else except when you proxy after the NAT you proxy after
a proxy. You can replace several proxies by a tunnel through a
low speed data line. In fact that will break SSH wordbook attacks.
Just delay everything longer than the hacker probably waits

Regards,
Peter Dambier


-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter(_at_)peter-dambier(_dot_)de
http://iason.site.voila.fr
http://www.kokoom.com/iason


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Appeal: Publication of draft-lyon-senderid-core-01 in conflict with referenced draft-schlitt-spf-classic-02, Scott W Brim
Next by Date:  Re: Revised Last Call: 'SSH Transport Layer Encryption Modes' to Proposed, Pekka Savola
Previous by Thread:  Re: NAT/Proxy combinations, Peter Dambier
Next by Thread:  Re: NAT/Proxy combinations, Brian E Carpenter
Indexes:  [Date] [Thread] [Top] [All Lists]