[LINK] www.ipv6.org.au/summit

Kim Holburn kim.holburn at gmail.com
Mon Sep 1 00:46:43 AEST 2008


On 2008/Aug/31, at 1:48 PM, Karl Auer wrote:
> On Sun, 2008-08-31 at 10:59 +0200, Kim Holburn wrote:
>>> A NAT [...] essentially provides a packet filter that says
>> "allow established, block everything else".
>>
>> Not true.  A packet comes in saying source (internet IP:port 80)
>> (target IP of NAT box: port 3300).  The router has to know which
>> private host to route that to.  It must have some state information  
>> to
>> do that.
>
> I said "essentially". Meaning "not really, but effectively the same  
> as".
> An inbound packet that is not mapped in the NAT tables gets dropped. A
> packet that is mapped in the NAT tables is forwarded to the  
> appropriate
> machine. How does a mapping happen? When the internal machine makes a
> connection to the outside world. Hence "allow established". Yes, NAT
> does maintain state (the mappings).
>
>> There are also privacy considerations here.  With a NAT router you  
>> are
>> not advertising what's on your network to even your own ISP.
>
> Nor does a packet filter. There is one difference: The source  
> addresses
> of your machines are known IFF they make connections to the outside
> world.

If there's no NAT the source addresses are already known.  They are  
the IP addresses around your IP.  They are constantly being probed.

> That makes it not one whit easier to attack them.

Well there's several considerations there.  The nice thing about  
modern commodity router/firewalls is that they are incredibly easy to  
configure and maintain in a reasonably secure way.  You can plug stuff  
in to your home network and get a DHCP address etc etc, all built in.   
Actually it's really a server and firewall.  If you're talking about a  
packet filter as a consumer commodity I really can't see how you could  
get that sort of ease of installation and maintenance.  For instance  
DHCP from your ISP can't configure an internal IP range automatically  
on your packet filtering router, you would have to configure the IP  
range manually and the CIDR mask etc, way beyond the capability of  
most homes.  Organising a valid network range with your ISP would be  
much more difficult than getting a dynamic IP address.   Getting the  
WAN port to connect is usually too much for most people and that's the  
easy part and the only part you really need to tinker with on most  
modem/firewalls.  If home devices were not to connect outside, say to  
a DHCP server in your ISP you would have to have a DHCP server in your  
packet filter router (and now a server too).  You would still have  
constraints on the public IP range, which of course is how this thread  
started.  It may be that you can do all this in some kind of packet  
filtering commodity IPv6 packet filtering router but I haven't seen it  
yet.  I think that the combination of NAT and IP address limitations  
mean that a NAT commodity firewall with almost unlimited private  
address space is the sweet spot at the moment for security and ease of  
use.

The problem is that these are not simple technical considerations,  
these are resource and knowledge considerations.  Big companies have  
expert staff to configure their routers, most consumers don't.

>> A simple packet filter lets someone on the other side of the world
>> know and target your (let's say) fridge with a public IP.  There is  
>> no
>> way public router will route a private address, so no way an external
>> machine can target your fridge.
>
> Does your fridge make connections to the outside world? If so, it's
> address can be known. But it is attackable only if the packet filter
> allows new connections through to it, which it presumably won't  
> ("allow
> established, block all others").
> .
>> Yes but if a NAT router fails, it's still not going to let packets in
>> from a public to a private address space.  A home router with a
>> stateless packet filter is orders of magnitude dumber.
>
> When things fail, they fail. How can you assume that the failure  
> mode of
> your NAT will not deliver translated packets? Failure is failure.  
> Quite
> frankly, we are talking angels on the head of a pin here. Neither NAT
> nor a packet filter is remotely likely to fail in the ways you are
> suggesting.
>
> I mentioned nothing about a stateless packet filter, though to do what
> NAT does as a side effect that's all you'd need. If someone crafts a
> response to a non-existent TCP session, the receiving host will drop  
> it
> anyway.
>
>>  We're talking
>> about a consumer device which needs a reasonably knowledgeable
>> installer.  There be dangerous shoals indeed!
>
> Just as with NAT and port forwarding. No major difference there.
> However, in 99% of cases the defaults will work fine, as they do now.
>
>> In an ideal world all operating systems would protect themselves
>> against viruses and network intrusions out of the box.  A good
>> multilevel security approach.  Unfortunately in the real world he
>> majority of them don't.  They run windows for a start.
>
> Neither NAT nor packet filters can protect against viruses. Packet
> filters *can* ameliorate the effects of (say) zombification, by  
> blocking
> outbound stuff.

Firewalls, routers are just one layer of defence against malware.   
Sure many attacks now are designed to get around firewalls because  
they are being deployed a lot and they are effective.  If you don't  
have a firewall you are subject to an enormous number of network  
attacks and probes.

Any kind of security strategy has to be multilayer and that includes  
firewalls and individual machine security.  Any computer out of the  
box should be able to survive on the internet.  If it can't it's not  
fit-for-purpose.  Since the major OS for most of the computers  
currently on the internet is apparently not fit-for-purpose our next  
best defence is a hardware firewall ie a commodity router/firewall/ 
modem and they have been remarkably successful.

>> Many, many machines are behind various kinds of firewalls.  Firewalls
>> that protect their internal networks in a myriad of ways.  How is  
>> this
>> different to a world of NATs?  Just because you have an idealogical
>> preference for an open internet (which I have in many ways) doesn't
>> mean that it's currently practical or that what we have now is like
>> that.
>
> Hang on - ideological? After several messages giving my clear  
> technical
> reasoning about why NAT does not provide meaningful security and is  
> not
> needed except for address multiplexing? And did I say anything about  
> an
> open Internet?
>
> My point in all this has been simple: NAT does not offer any security
> benefit that you can't have with a simpler, cheaper, faster packet
> filter. NAT does one thing - multiplexes a single address to many. As
> soon as you don't need that, you don't need NAT[1].

I agree that in the case say of a Govt Dept or a University or Large  
Company where there are almost unlimited IP addresses and serious  
network expertise there is little difference.  My point is that none  
of this is available to most home users.  Their best option is a NAT  
firewall.

> A world of NATs is very different to a world of firewalls. A  
> firewall is
> WAY more complicated than NAT. In stark contrast to NAT, a properly
> configured firewall can provide genuine security benefits.

Actually several commodity routers/firewalls I've looked at lately run  
linux and are quite sophisticated servers and firewalls.  I think they  
can provide quite as much security as any good firewall (except  
without a trained firewall admin).  I don't see a lot of difference  
between a router and a firewall really, although companies who make  
big dedicated routers and big dedicated firewalls may say differently.

For real security you need an IDS/IPS and someone to maintain it.  I  
don't believe that a firewall can really do anything like an IDS.  An  
IDS can pick up someone downloading a trojan from a dodgy website or a  
trojaned machine calling home.  It's not available as a consumer item  
yet though.

> Regards, K.
>
> [1] NAT as we know it, that is. NAT as a general technique has other
> uses, like mapping internal IPv6 addresses to IPv4 addresses to  
> allow a
> pure IPv6 network to talk to the IPv4 Internet.


<rant>
There should be no reason why any program you download off the  
internet should have access to all your data and resources, let alone  
the resources of the entire machine or operating system.  Users, even  
computer savvy users, often simply do not have enough information to  
decide questions computers ask them about security.  Some or all of  
this needs to be handled by the computer or the OS itself.
</rant>

Of course this is an evolutionary process and advances in security  
will inevitably result in advances in sophistication of attacks.

Kim
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961






More information about the Link mailing list