North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: mh (RE: OMB: IPv6 by June 2008)

  • From: Fred Baker
  • Date: Fri Jul 08 13:37:43 2005
  • Iim-sig: v:"1.1"; h:"imail.cisco.com"; d:"cisco.com"; z:"home"; m:"krs";t:"1120843981.830515"; x:"432200"; a:"rsa-sha1"; b:"nofws:1238";e:"Iw=="; n:"sQYarK2E51MdcTiUqeif3F7cWdxIfoCiXhdfb9vD5ee/j0jXL15gbFxF2p""XIweAblu0N6XAgK7k+wrbr7bQDJaCDqOmzqpRUBjIRQAXQ7NzadpmR3pUL6wxaRUtW+c43sl9jC""50Qg1sXHpPjt8Y+Y16ioyQAQAdSunM4YhevURc=";s:"M8GVvq90Pq8bEVVnZupEqych0g3I5/5QSz86AuIT0BhWeLJeUFLskWeCpDdKqU+dba21Q36r""2Mg1/1+VVw+mc9M9gmben8DCHS3vomGeIwBlffTHN6uixXBBVV4Z3d75g4bRtKpTkY8mv7XTZ0E""MtpCZjC2xVa7tG9xy9oAycGQ=";c:"From: Fred Baker <fred@cisco.com>";c:"Subject: Re: mh (RE: OMB: IPv6 by June 2008)";c:"Date: Fri, 8 Jul 2005 10:34:02 -0700"
  • Iim-verify: s:"y"; v:"y"; r:"60"; h:"imail.cisco.com";c:"message from imail.cisco.com verified; "

On Jul 8, 2005, at 9:49 AM, Jay R. Ashworth wrote:
A machine behind a NAT box simply is not visible to the outside world, except for the protocols you tunnel to it, if any. This *has* to vastly reduce it's attack exposure.
It is true that the exposure is reduced, just as it is with a stateful firewall. The technical term for this is "security by obscurity". Being obscure, however, is not the same as being invisible or being protected. It just means that you're a little harder to hit. When a NAT sets up an association between an "inside" and "outside" address+port pair, that constitutes a bridge between the inside device and the outside world. There are ample attacks that are perpetrated through that association.

A NAT, in that context, is a stateful firewall that changes the addresses, which means that the end station cannot use IPSEC to ensure that it is still talking with the same system on the outside. It is able to use TLS, SSH, etc as transport layer solutions, but those are subject to attacks on TCP such as RST attacks, data insertion, acknowledge hacking, and so on, and SSH also has a windowing problem (on top of TCP's window, SSH has its own window, and in large delay*bandwidth product situations SSH's window is a performance limit). In other words, a NAT is a man-in-the-middle attack, or is a device that forces the end user to expose himself to man-in-the-middle attacks. A true stateful firewall that allows IPSEC end to end doesn't expose the user to those attacks.