[ale] OT move to new Colo that wants to use NAT

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 10 10:29:04 EST 2008 

On Mon, 2008-11-10 at 09:26 -0500, Jim Popovitch wrote:
> 2008/11/10 Michael H. Warfield <mhw at wittsend.com>:
> >        Getting PI (Provider Independent) allocations out of ARIN is extremely
> > difficult and going to get more so.  I believe at one time you could not
> > get anything smaller than a /19 (i.e. you could not get a /20 from ARIN
> > directly).  That's 8192 addresses.  If you can not justify the immediate
> > use and application of a very sizable portion of that allocation you
> > will not get it.
> >
> >        This situation is going to get much worse.  Current predicted runout of
> > IPv4 addresses is now projected to be sometime in 2010 to 2011.  It's
> > just been announced that the final, last 5, IPv4 /8 blocks from IANA
> > have been allocated to the regional registrars, one to each RIR (ARIN,
> > RIPE, APNIC, LACNIC, AFRINIC).  That's it folks, no more, they're all
> > gone from IANA.  Now as ARIN runs down their allocations, they're going
> > to get tighter and tighter on their policy because the IANA well is now
> > dry.  They can't get any more, themselves.
> 
> Good point.  All those NAT'ed /8's should give them up. ;-)
> 
> >> IMHO, their move to do this is both good and bad.  Good because it
> >> protects the idiots who lease systems they don't know how to secure,
> >> bad because it removes capabilities that quality technical folks need.
> >
> >        NAT provides no security.  That's a total myth.

> Not true.   It all depends on the NAT config.   If you are port
> forwarding every port, well of course it's no better.   But if you are
> only fwd'ing port 80 to a NAT'ed IIS server on Win2K....

	Is true.  NAT provides no security that isn't present in a stateful
firewall.  The ports that are not forwarded by the NAT are equally not
forwarded by the stateful firewall.  The address translation is
irrelevant to the security.  It's the stateful connection tracking and
that's at the core of each.  They are functionally equivalent with no
advantage to the NAT.

> > Private address space != secure.

> Correct, but private address space != insecure.

	Private address space is no more secure nor less secure that global
unicast addresses.

	I was able to track the Witty worm very closely and, due to a quirk in
it's behavior (it had a constant source port), it was uniquely able to
show when it had gotten behind NAT devices (the source port varied).
Less than 10 seconds after the onset of the worm, we were detecting
infestations behind multiple NAT devices.  Nobody was able to
definitively say HOW these occurred but the fact remained that they did
occur and they occurred very rapidly.
 
> > That's been proven by multiple break-ins and trojans
> > with reverse shells for years.  The only security that comes from NAT

> Wait! I thought there was no security in NAT?

	Finish the sentence...  What is there doesn't come from the NAT per se
but from the firewall which is intrinsic to the NAT device.

> > derives purely from it's connection state machine which is the same
> > thing in a stateful firewall.  The address translation itself, provides
> > no additional security only a false sense of security to the fools who
> > rely on it.

> NAT alone is not enough, but as part of a layered approach it's value
> is underrated.

	It's value is negligent.  If you already have a stateful firewall, NAT
offers zero value add.  It adds additional complexity and it breaks
legitimate protocols and forces you to use methods (STUN and TEREDO)
which actually can degrade the security of your network.

	We even have the beautiful incident here with the Kaminsky DNS problem
where NAT devices were even undoing security measures (source port
randomization) implemented to harden the DNS servers.  NAT devices were
actually facilitating the threat from DNS cache poisoning attacks by
mapping randomized ports back to predictable ports.

> Take the hosting question in this thead.   Is there ever a
> well-configured stateful firewall inside a ISP's colo DC?  ;-)

	I have several inside of mine.  My security is my responsibility.
Relying on whether that ISP has properly configured that NAT and
properly forwarding the ports I want is putting my security in their
hands (to say nothing about having to contact them every time I need a
configuration change).  The fact that they might (and this hasn't been
determined yet) actually think that a NAT device is somehow better than
a stateful firewall immediately tells me they are security amateurs and
I wouldn't trust them with my security.  Their judgment is immediately
suspect to me.

> -Jim P.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20081110/cfee9d1e/attachment.bin

More information about the Ale mailing list