[LINK] www.ipv6.org.au/summit

Kim Holburn kim at holburn.net
Tue Sep 2 18:57:01 AEST 2008 

On 2008/Sep/02, at 9:49 AM, Karl Auer wrote:

> On Tue, 2008-09-02 at 08:58 +0200, Kim Holburn wrote:
>> remote reprogramming of firewalls.   So yes, you can't initiate a
>> contact into the network directly but you can use an internally
>> initiated contact to attack a machine and even then attack other
>> machines in that network.
>
> Yes. With or without NAT, as you say. However, these attacks happen
> further up the protocol stack; NAT is neither here nor there. Once you
> control a machine inside a network, most bets are off as far as border
> security, and *certainly* any microscopic amount of security that NAT
> might have added is gone.
>
>> A plain public network can
>> be probed over and over and the info collected, collated and stored.
>> No matter what protections the network has, someone getting in can
>> potentially have a lot of info about it.
>
> "Getting in"? Yes, if they can get in, but see above. As far as
> "probing", well, we keep hearing this, but it's irrelevant. People
> knowing what addresses you have does not matter. Really. It just does
> not matter. All the attacker has is a list of addresses.
>
>> There's nothing inherently wrong with security by obscurity.  It's a
>> good addition to any security and home users need everything they can
>> get.
>
> No. You say these things like they are written on tablets of stone,  
> but
> there IS something inherently wrong with security by obscurity, in  
> that
> the security vanishes like morning mist if the obscurity is ever lost,
> and worse, you may not even know that your security just vanished. You
> DON'T "need everything you can get" either - not if the cost of what  
> you
> are getting outweighs the benefits.

Passwords, operating system exploits, they are all security by  
obscurity and the same applies to them.  If someone successfully  
attacks a system they may get all that plus you may not even know,  
like the many bot-pwned machines in the botnets.

I can't see how the cost of additional security by obscurity outweighs  
any benefits.  As long as you don't rely on it solely.

>> It also goes along with security by diversity which can have real
>> benefits.
>
> Again; diversity that costs you more than it benefits you is not worth
> having.
>
> Believing that NAT is part of in-depth security is akin to digging a
> shallow trench all around your house and insisting that it's improved
> your security because burglars might trip and fall and hobble off
> injured rather than robbing you. If you need the trench for, say,
> drainage, then sure, by all means take advantage of the "extra  
> security"
> it offers. If you don't need the trench for any other reason, does it
> really make sense to dig it just for the security advantages? Of  
> course
> not. Even a twenty-foot-deep trench with sharpened stakes at the  
> bottom
> of it and covered with camouflage cloth has certain disadvantages  
> which
> probably make it, on balance, not worth having.

Very colourful but NAT routers give what you call packet filtering  
which you have extolled the virtues of so what is the problem?

> We have to have NAT because we are running out of IPv4 addresses,  
> but as
> far as security goes it offers nothing worth having that can't be
> adequately handled by a packet filter - and a very simple one at that.
> So the disappearance of NAT which will almost inevitably accompany the
> uptake of IPv6 is no real loss.


As I have said, I don't agree that NAT is worthless, nor packet  
filtering.  I doubt whether either will go away when IPv6 is taken up.

There are still the issues of resources and skilled staff that won't  
go away, in fact will probably be even more of a problem with IPv6.

It is one thing to say that in a well designed and maintained network  
NAT makes no difference to security, although I'm not sure whether it  
doesn't have it's place there too, it's another to say that the same  
constraints apply to a badly set up and run network, a network set up  
and run by people with little experience or knowledge.  Since the  
majority of networks are probably increasingly going to be that sort  
of network I think we will have to somehow build security into the  
devices that run those networks.  For our own protection if nothing  
else.

Kim
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list