[LACNIC/Seguridad] El NAT y la seguridad (Cross-post de la lista de NANOG)

Nicolás Ruiz nicolas en ula.ve
Jue Jun 7 12:27:41 BRT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hola Carlos:

Carlos M. Martinez wrote:
> Hola a todos,
> queria compartir con uds un post que hice en la lista de NANOG.
> Disculpas por que esta en Inglés. Mi interés es motivar la discusión
> sobre NAT y seguridad, discusión que cobra mucha fuerza con el
> advenimiento de IPv6

Yo tambien tengo una percepción negativa de NAT. En mi universidad,
donde hay un solo nivel de NAT, más de una vez hemos perdido el rastro
de equipos detrás de NAT que generan ataques: ocasionalmente algún
laboratorio NATeado es administrado por un profesor que no ejecuta
buenas prácticas.

Estamos trabajando por remover estos NAT dentro de la organización (y
remplazar el NAT por un stateful firewall).

> 
>> Hi,
>>
>> Valdis.Kletnieks en vt.edu wrote:
>>> I think somebody on this list mentioned that due to corporate acquisitions,
>>> there were legitimate paths between machines that traversed 5 or 6 NATs.
>>>
>> Not 5 or 6, but in my company I could show you paths with 4 NATs. Many of them. And no acquisitions, just different Divisions of the same company.
>>
>> I once spent three days trying to get the four administrators to talk among themselves and determine where a SYN flood was coming from. 
>>
>> Whatever people say, NAT is a hack. NAT was intended to extend IPv4's lifetime (togher with CIDR they were pretty successful at that) and nothing else.
>>
>> And as someone said it earlier, instead of promoting layer separation NAT it has promoted "protocol hacking hell". 
>>
>> Please, even the related PIX commands are named after they hackish nature:
>>
>> "fixup protocol dns"
>> "fixup protocol ftp"
>>
>> This completely destroys the end-to-end nature of application protocols! If someone wants to improve FTP or anything that requires a "fixup", it doesn't suffice to code a server and a client. No, you need to talk to 1.000sh firewall manufacturers so they correct their "fixups".
>>
>> Which they might or might not do, of course, depending on how they feel that particular day. Talk about vendor lock-in.
>>
>> In my view, this ossifies the whole Internet development cycle. 
>>
>> And the argument that NAT is easier to administer than a full SI firewall is pretty thin, even if it was true, about what I have my doubts. Moreover, not everything in life should be conditioned to the "easier to administer" argument. 
>>
>> Sorry about the rant :-)
>>
>> Carlos M.
>> ANTEL Uruguay
>>
>>> But yeah, "Sure, very easily".  Whatever you say...
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
> 
> 

- --
A: Because it destroys the flow of conversation.
Q: Why is top posting dumb?
- --
Juan Nicolás Ruiz    | Corporación Parque Tecnológico de Mérida
                     | Centro de Cálculo Cientifico ULA
nicolas en ula.ve       | Avenida 4, Edif. Gral Masini, Ofic. B-32
+58-(0)274-252-4192  | Mérida - Edo. Mérida. Venezuela
PGP Key fingerprint = CDA7 9892 50F7 22F8 E379  08DA 9A3B 194B D641 C6FF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGaCPtmjsZS9ZBxv8RAv0qAKCLT29KelE7dTCNCvuTalv8LaLrmwCfXfYE
SPyyrgz7CUrtC4WLilYYsO0=
=ZiA/
-----END PGP SIGNATURE-----




Más información sobre la lista de distribución Seguridad