[LAC-TF] Fwd: Re: Is NAT can provide some kind of protection?

alejandro.acosta at bt.com alejandro.acosta at bt.com
Thu Jan 13 03:49:20 BRST 2011

  Se me ocurre que si en LACSEC existe algun panel colocar como topico de conversacion si NAT/PAT aumentan la seguridad de una red un servidor. Muchos en el area de seguridad indican que no es, algunos otros que si, etc. Otros no les gusta por el troubleshooting y mantenimiento, en fin, hay diferentes opiniones.


De: lactf-bounces at lacnic.net [lactf-bounces at lacnic.net] En nombre de Fernando Gont [fernando at gont.com.ar]
Enviado el: miércoles, 12 de enero de 2011 13:30
Para: Lista para discusión de seguridad en redes y sistemas informaticos de la región
CC: lactf at lac.ipv6tf.org
Asunto: [LAC-TF] Fwd: Re: Is NAT can provide some kind of protection?


Pocas veces me hace feliz leer un mail. Kudos para Jack. :-)

-------- Original Message --------
Subject: Re: Is NAT can provide some kind of protection?
Date: Wed, 12 Jan 2011 11:36:48 -0600
From: Jack Bates <jbates at brightok.net>
To: George Bonser <gbonser at seven.com>
CC: Fernando Gont <fernando at gont.com.ar>, nanog at nanog.org

On 1/12/2011 11:21 AM, George Bonser wrote:
> PAT makes little sense to me for v6, but I suspect you are correct.  In
> addition, we are putting the "fire suit" on each host in addition to the
> firewall. Kernel firewall rules on each host for the *nix boxen.

As my corp IT guy put it to me, PAT forces a routing disconnect between
internal and external. There is no way to reach the hosts without the
firewall performing it's NAT function. Given that the internal is
exclusively PAT, the DMZ is public with stateful/proxy, this provides
protection for the internal network while limiting the dmz exposure.

The argument everyone makes is that a stateful firewall defaults to
deny. However, a single mistake prior to the deny allows traffic in. The
only equivalent in a PAT scenario is to screw up port forwarding which
would cause a single host to expose a single port unknowingly per
mistake (which said port/host combo may not be vulnerable). In a
stateful firewall, a screw up could expose all ports on a host or
multiple hosts in a single mistake.

Then there are the firewall software bugs. In PAT, such bugs don't
suddenly expose all your hosts behind the firewall for direct
communication from the outside world. In v6 stateful firewall, such a
bug could allow circumvention of the entire firewall ruleset and the
hosts would be directly addressable from the outside.

PAT offers the smallest of security safeguards. However, many corp IT
personnel feel more secure having that small safeguard in place along
with the many other safeguards they deploy. In a corporate environment
where they often love to break everything and anything, I don't blame them.

Then we go to the educational sector, where the admins often prefer as
much openness as possible. In their case, they will prefer to do away
with PAT.


LACTF mailing list
LACTF at lacnic.net

More information about the LACTF mailing list