From: itojun(_at_)itojun(_dot_)org [mailto:itojun(_at_)itojun(_dot_)org]
Its not exactly a surprise, folk seem to place a higher premium on
shooting NAT than anything else. Meanwhile the vast majority of
residential broadband access is behind NAT.
And from a security point I want to see as much NAT as possible.
Without NAT we would be in a much worse situation security
wise than we
are today. NAT is a blunt instrument but it shuts down
inbound server
connects. And that is such a good thing from the point of view of
stopping propagation of network worms.
(snip)
a few points. IPv6 technology really needs to be demystified.
you do not have to rewrite IP address to ensure that there's no
inbound connections. you just have to have a packet
filter which
watches/drops TCP SYN or whatever alike. if you do not
have enough
address space to serve your enterprise, it is a good
reason to use
IPv6 :-)
My point here is that the principal objection being raised to NAT, the
limitation on network connectivity is precisely the reason why it is beneficial.
There is no other device that can provide me with a lightweight firewall for
$50.
if
you have RFC3041
and other tricky systems, your system will have higher
likelyhood of
having implementation bugs (violation of KISS principle).
Same can be said of IPv6.
We have a lot of really good ways of avoiding issues we don't like: complexity,
accessibility, limited access in third world countries.
Unless the arguments are applied consistently they should not be made at all.
Otherwise they just become special pleading.
even if you stop all inbound connections, malicious
parties which
controls HTTP/whatever servers can inject your end node
any kind of
crufted TCP options, which might cause buffer overflow
(DoS/privilege
user hijacking).
As I told Bruce Schneier after his silly IPSEC and Certification Authority
papers, security is risk control, not risk elimination.
It is not helpful to criticise a security measure that empirically offers a
high degree of security for failing to address cases it is not designed to deal
with. An HTTP server behind a NAT box is no HTTP server and thus no threat.
In a full default deny infrastructure I can allow the HTTP server external
access and deal with issues such as HTTP server corruption by requiring the
HTTP server to run in an isolated O/S partition so that compromise of the
server cannot lead to compromise of the host.
spam, phishing and botnet are independent from
presense/absense of NAT.
I can shut down 95% of existing botnets using reverse firewalls. I have yet to
find a legitimate network use with an access pattern that remotely resembles
the access patern of a production botnet.
The approach I propose in the dotCrime Manifesto is that by default the newtork
access point throttles outgoing SYN and DNS requests to some large number that
is well short of the needs of spammers, DDoS SYN flooding etc.
OSes have to be secured by default, that's all.
Linux is ten million odd lines of code. When you have more than a million lines
of code you can be certain that at least 50% of the people working on it were
below average in talent. Vista is ten times bigger.
We simply don't know how to build a secure operating system today.
heavy use of firewall/
NAT have propagated "false sense of security" inside enterprise
The 'security through obscurity' argument is bogus.
Back in the early 1990s people were arguing AGAINST the use of shaddow
passwords in UNIX on the grounds that they give a 'false sense of security'.
I agree that most enterprises have an exagerated idea of what perimeter
security can do for them, but that does not mean that the solution is to drop
all the firewalls. That is not what is being discussed when people are talking
about deperimeterization.
network, and therefore, many of end systems within
enterprise are very
vulnerable to attacks. the most common attack vector
these days are
laptops owned by people like IETFers (goes in and out
of enterprise)
or VPN-connected laptops, which carry worms. so, many
people purchase
end node firewall systems ("fire suit" in the old
terminology), but,
if your end node operating systems are secure by
default, you do not
need those end node firewall systems and/or keep
upgrading signature
files.
There is no individual security control that cannot be trumped. Host based
security can be disabled if the host is compromised. We don't yet have the
trustworthy systems we need to prevent that attack.
There is no individual security control that cannot be trumped, but we can
deploy combinations of security controls that make it very much harder for an
attacker to succeed.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf