[LINK] www.ipv6.org.au/summit
Kim Holburn
kim.holburn at gmail.com
Mon Sep 1 00:46:43 AEST 2008
On 2008/Aug/31, at 1:48 PM, Karl Auer wrote:
> On Sun, 2008-08-31 at 10:59 +0200, Kim Holburn wrote:
>>> A NAT [...] essentially provides a packet filter that says
>> "allow established, block everything else".
>>
>> Not true. A packet comes in saying source (internet IP:port 80)
>> (target IP of NAT box: port 3300). The router has to know which
>> private host to route that to. It must have some state information
>> to
>> do that.
>
> I said "essentially". Meaning "not really, but effectively the same
> as".
> An inbound packet that is not mapped in the NAT tables gets dropped. A
> packet that is mapped in the NAT tables is forwarded to the
> appropriate
> machine. How does a mapping happen? When the internal machine makes a
> connection to the outside world. Hence "allow established". Yes, NAT
> does maintain state (the mappings).
>
>> There are also privacy considerations here. With a NAT router you
>> are
>> not advertising what's on your network to even your own ISP.
>
> Nor does a packet filter. There is one difference: The source
> addresses
> of your machines are known IFF they make connections to the outside
> world.
If there's no NAT the source addresses are already known. They are
the IP addresses around your IP. They are constantly being probed.
> That makes it not one whit easier to attack them.
Well there's several considerations there. The nice thing about
modern commodity router/firewalls is that they are incredibly easy to
configure and maintain in a reasonably secure way. You can plug stuff
in to your home network and get a DHCP address etc etc, all built in.
Actually it's really a server and firewall. If you're talking about a
packet filter as a consumer commodity I really can't see how you could
get that sort of ease of installation and maintenance. For instance
DHCP from your ISP can't configure an internal IP range automatically
on your packet filtering router, you would have to configure the IP
range manually and the CIDR mask etc, way beyond the capability of
most homes. Organising a valid network range with your ISP would be
much more difficult than getting a dynamic IP address. Getting the
WAN port to connect is usually too much for most people and that's the
easy part and the only part you really need to tinker with on most
modem/firewalls. If home devices were not to connect outside, say to
a DHCP server in your ISP you would have to have a DHCP server in your
packet filter router (and now a server too). You would still have
constraints on the public IP range, which of course is how this thread
started. It may be that you can do all this in some kind of packet
filtering commodity IPv6 packet filtering router but I haven't seen it
yet. I think that the combination of NAT and IP address limitations
mean that a NAT commodity firewall with almost unlimited private
address space is the sweet spot at the moment for security and ease of
use.
The problem is that these are not simple technical considerations,
these are resource and knowledge considerations. Big companies have
expert staff to configure their routers, most consumers don't.
>> A simple packet filter lets someone on the other side of the world
>> know and target your (let's say) fridge with a public IP. There is
>> no
>> way public router will route a private address, so no way an external
>> machine can target your fridge.
>
> Does your fridge make connections to the outside world? If so, it's
> address can be known. But it is attackable only if the packet filter
> allows new connections through to it, which it presumably won't
> ("allow
> established, block all others").
> .
>> Yes but if a NAT router fails, it's still not going to let packets in
>> from a public to a private address space. A home router with a
>> stateless packet filter is orders of magnitude dumber.
>
> When things fail, they fail. How can you assume that the failure
> mode of
> your NAT will not deliver translated packets? Failure is failure.
> Quite
> frankly, we are talking angels on the head of a pin here. Neither NAT
> nor a packet filter is remotely likely to fail in the ways you are
> suggesting.
>
> I mentioned nothing about a stateless packet filter, though to do what
> NAT does as a side effect that's all you'd need. If someone crafts a
> response to a non-existent TCP session, the receiving host will drop
> it
> anyway.
>
>> We're talking
>> about a consumer device which needs a reasonably knowledgeable
>> installer. There be dangerous shoals indeed!
>
> Just as with NAT and port forwarding. No major difference there.
> However, in 99% of cases the defaults will work fine, as they do now.
>
>> In an ideal world all operating systems would protect themselves
>> against viruses and network intrusions out of the box. A good
>> multilevel security approach. Unfortunately in the real world he
>> majority of them don't. They run windows for a start.
>
> Neither NAT nor packet filters can protect against viruses. Packet
> filters *can* ameliorate the effects of (say) zombification, by
> blocking
> outbound stuff.
Firewalls, routers are just one layer of defence against malware.
Sure many attacks now are designed to get around firewalls because
they are being deployed a lot and they are effective. If you don't
have a firewall you are subject to an enormous number of network
attacks and probes.
Any kind of security strategy has to be multilayer and that includes
firewalls and individual machine security. Any computer out of the
box should be able to survive on the internet. If it can't it's not
fit-for-purpose. Since the major OS for most of the computers
currently on the internet is apparently not fit-for-purpose our next
best defence is a hardware firewall ie a commodity router/firewall/
modem and they have been remarkably successful.
>> Many, many machines are behind various kinds of firewalls. Firewalls
>> that protect their internal networks in a myriad of ways. How is
>> this
>> different to a world of NATs? Just because you have an idealogical
>> preference for an open internet (which I have in many ways) doesn't
>> mean that it's currently practical or that what we have now is like
>> that.
>
> Hang on - ideological? After several messages giving my clear
> technical
> reasoning about why NAT does not provide meaningful security and is
> not
> needed except for address multiplexing? And did I say anything about
> an
> open Internet?
>
> My point in all this has been simple: NAT does not offer any security
> benefit that you can't have with a simpler, cheaper, faster packet
> filter. NAT does one thing - multiplexes a single address to many. As
> soon as you don't need that, you don't need NAT[1].
I agree that in the case say of a Govt Dept or a University or Large
Company where there are almost unlimited IP addresses and serious
network expertise there is little difference. My point is that none
of this is available to most home users. Their best option is a NAT
firewall.
> A world of NATs is very different to a world of firewalls. A
> firewall is
> WAY more complicated than NAT. In stark contrast to NAT, a properly
> configured firewall can provide genuine security benefits.
Actually several commodity routers/firewalls I've looked at lately run
linux and are quite sophisticated servers and firewalls. I think they
can provide quite as much security as any good firewall (except
without a trained firewall admin). I don't see a lot of difference
between a router and a firewall really, although companies who make
big dedicated routers and big dedicated firewalls may say differently.
For real security you need an IDS/IPS and someone to maintain it. I
don't believe that a firewall can really do anything like an IDS. An
IDS can pick up someone downloading a trojan from a dodgy website or a
trojaned machine calling home. It's not available as a consumer item
yet though.
> Regards, K.
>
> [1] NAT as we know it, that is. NAT as a general technique has other
> uses, like mapping internal IPv6 addresses to IPv4 addresses to
> allow a
> pure IPv6 network to talk to the IPv4 Internet.
<rant>
There should be no reason why any program you download off the
internet should have access to all your data and resources, let alone
the resources of the entire machine or operating system. Users, even
computer savvy users, often simply do not have enough information to
decide questions computers ask them about security. Some or all of
this needs to be handled by the computer or the OS itself.
</rant>
Of course this is an evolutionary process and advances in security
will inevitably result in advances in sophistication of attacks.
Kim
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link
mailing list