ietf
[Top] [All Lists]

Re: NAT/Proxy combinations

2005-08-29 05:01:08
Nicholas Staff wrote:
Basically, a NAT is just a simple and general-purpose way

to implement
a proxy.

It does play the role of a proxy nobody has ordered and nobody does
even no it exists. So it does breake security by providing a
proxy that should bo be there in the first place.


I don't understand what you mean here?  NAT is going to have to be the
default gateway somewhere along the route path so whether manually
configured on the client, done via dhcp, or configured on a router, how is
it something that nobody has ordered?

I think the statement refers to the fact that neither party to the
communication session that the NAT interferes with has ordered it.
Some network manager in the middle ordered it.

Also it breaks security for whom (I
can see how it makes it tougher for the destination, but it sounds like you
are inferring it breaks security for the network using the NAT?).

Exactly. It breaks IPSEC, or at best forces IPSEC into a UDP based kludge.

All this is explored in RFC 2993.

   Brian

I have comments/questions about your other remarks but I want to first make
sure we are talking about the same thing.

Thanks,
Nick


If you define "more secure" as "less likely that random

packets will be
delivered": sure, put in as much stuff that makes everything less transparent as you can.

In fact it provides a loophole destroying every attept to security from
end to end.


Obviously this won't help against many popular attack

vectors which
prey upon the gullibility of the typical user, which mostly

happen over
HTTP or through mail, which don't need a transparent communication channel.

But it provides a great way to break into any established secure link.

Just wait for them to exchange passwords. Break the connection and do
your evil. Dont care any longer and let the connection drop to the
floor. NAT and windows will cope and nobody will ever see a trace in
their logs.


And please don't expect the IETF to make its protocols work

through
your multiple layers of NAT and proxies.


NAT was never designed for security. NAT was designed as a loophole.
That loophole has improved greatly over time.

All bad things said I would like to mention that a windows computer
wont stay long in the internet if you dont hide them behind NAT

It really does not make a difference wether you proxy on the NAT or
somewhere else except when you proxy after the NAT you proxy after
a proxy. You can replace several proxies by a tunnel through a
low speed data line. In fact that will break SSH wordbook attacks.
Just delay everything longer than the hacker probably waits

Regards,
Peter Dambier


--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter(_at_)peter-dambier(_dot_)de
http://iason.site.voila.fr
http://www.kokoom.com/iason


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>