Re: [fw-wiz] Stats on how common NAT is?

From: CTA (cta@hcsin.net)
Date: 12/15/02 

From: "CTA" <cta@hcsin.net>
To: fw-wiz <firewall-wizards@honor.icsalabs.com>
Date: Sun Dec 15 10:49:13 2002

On 14 Dec 2002, at 23:43, R. DuFresne wrote:

From: "R. DuFresne" <<dufresne@sysinfo.com>

To: Michael Still <<mikal@stillhq.com>

Copies to: fw-wiz <<firewall-wizards@honor.icsalabs.com>

Subject: Re: [fw-wiz] Stats on how common NAT is?

Organization: sysinfo.com Date sent: Sat, 14 Dec 2002

23:43:01 -0500 (EST)

<color><param>7F00,0000,0000</param>>

> Duke Hospital just NAT'ed all it's internal address space, as

> they step up compliance with HIPAA. I've worked with a number

> of companies over the years that have used NAT as Bill Royd's

> mentions in his reply also. and as always, he gives sound

> advice and reasoning.

>

> Thanks,

>

> Ron DuFresne

>

</color>I would add that a large number of these hospitals have elected

to do NAT from their router/ Internet Gateway. Worst yet they

depend on their router as THE FW. This is a bad choice for any

network topology, which connects to the Internet, IMHO. Such

topologies are vulnerable to Disclosure, Integrity and DDOS

threats and place the majority of the raise the risk cost on the

NAT/Router. This is a poor response to meet HIPAA compliance

requirements. Sorry CISCO.

A better way would be to distribute the risks associated with

vulnerabilities, threats and attacks across several redundant

application specific devices. Router, Bastion Host / NAT Box,
FW,

IDS. In fact a properly designed hybrid Bastion/NAT Box can
be

stacked in parallel with auto-sensing hot fail-over to a mash of

router/gateways to the Internet. I would also add a honeypot or

two to give the kids a place to play.

The problem I see is that most network engineers are not

applying good Systems Security Engineering processes to

balance vulnerabilities, threats and attacks with risks,

requirements and economics.

Here s my 10 step SSE process:

1. Identifythe functional requirements

2. Specifythe systems components considering performance

    and economics (Time, Costs, Resources)

3. Identifythe vulnerabilities, threats and possible attacks

    associated with each system component.

4. Assessthe Risks associated with the vulnerabilities

5. Re- prioritize the Vulnerabilities, considering requirements

    and economics

6. Identifythe Safeguards to abate the threats or their effects

    on the vulnerabilities

7. Iterateback to step 4 until one has the best balance Risks,

    Vulnerabilities, Requirements and Economics

8. Implementthe Safeguards

9. Install the Safeguards

10. Iterate back to step 2 and adjust until we are within

specification. 
 
Else, (last resort, BUT DO IT) go back and

redefine the functional requirements and/or system

specifications.

<color><param>7F00,0000,0000</param>>

> On Sun, 15 Dec 2002, Michael Still wrote:

>

> >

> > Hello.

> >

> > I work as a software developer, and there has been some

> > discussion at work as to how common NAT is in corporate

> > environments (this affects whether we use DCOM or not).

> >

> > Does anyone have any pointers on how common NAT in corporate

> > environments is? Why are these people using NAT, is it solely

> > the expense of real IPs, or is it also for the added

> > security?

> >

> > Thanks,

> > Mikal

> >

> >

>

> --

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> admin & senior security consultant: sysinfo.com

> http://sysinfo.com

>

> "Cutting the space budget really restores my faith in humanity.

> It eliminates dreams, goals, and ideals and lets us get

> straight to the business of hate, debauchery, and

> self-annihilation."

> -- Johnny Hart

>

> testing, only testing, and damn good at it too!

>

> _______________________________________________

> firewall-wizards mailing list

> firewall-wizards@honor.icsalabs.com

> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

>

<nofill>
bernie|bhH
cta@hcsin.net
++++++++++++++++++++++++++++++++++++++++++
I don't ware no stiken hat...
    Bald, Hatless and Hacking since 1975

Relevant Pages

  • Risks Digest 25.22
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Citibank ATM breach reveals PIN security problems ... was no longer able to access the Internet through the cable modem. ... Lynksys wireless router but they immediately and cheerfully without my ...
    (comp.risks)
  • Risks Digest 24.24
    ... The risks of scaling incompetence to big numbers ... Unexpected Internet Explorer behaviour when copy/pasting ... Casino can reprogram slot machines in seconds ... Classified military documents exposed through file sharing ...
    (comp.risks)
  • Re: Regulation disappointment
    ... there also are many other people with negative attitudes about ... How does having the internet make it easier? ... I try not to get involved in wishful thinking, as it only causes pain in the ... Risks are, well, risky for me. ...
    (uk.people.support.depression)
  • Re: Connecting internal network to the Internet
    ... Here are some of the risks I have encountered: ... Internet Explorer in browsing web sites. ... be vulnerable if the latest patches are not applied and steps taken to ...
    (comp.security.misc)
  • Re: Connecting internal network to the Internet
    ... Here are some of the risks I have encountered: ... Internet Explorer in browsing web sites. ... be vulnerable if the latest patches are not applied and steps taken to ...
    (comp.os.ms-windows.nt.admin.security)