RE: NAT external/Public IP
- From: "Dan Lynch" <DLynch@xxxxxxxxxxxxx>
- Date: Tue, 30 Oct 2007 16:16:55 -0700
Strictly speaking for address translation only, and not ACLs or firewall
rules, I believe that PAT does make a host more secure, not because it
obscures a host's native IP address, but because it is a one-way
function. PAT is dynamically created. As the client host initiates a new
connection, a new port is opened at the translating device. That port is
closed when the connection is torn down. Just as a server cannot exploit
a client's dynamically opened ephemeral port for a new connection, new
connections cannot be made through a PAT back to a client host.
A one-to-one NAT on the other hand _can_ (not must) allow connections to
be established in both directions.
I think it's this distinction that led to the PCI requirement under
discussion.
- Dan
P.S. - That said, a firewall performing address translation services
(PAT or NAT) for a population of clients should regardless have a rule
blocking inbound access just for good measure.
P.P.S. - Please correct me if I'm wrong, but I believe inbound
connections into your LAN from your primary MTA to your internal mail
server is how most internet email gets delivered to internal users.
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Ansgar
-59cobalt- Wiechers
Sent: Tuesday, October 30, 2007 10:04 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: NAT external/Public IP
On 2007-10-30 Grant Donald wrote:
With PAT private IP addresses are hidden from the outsideworld. This
basically makes the job of hacking into a system more difficult,
because the original host's IP address and source port is unknown.
This is mere obscurity. It doesn't make a host any more or
less secure than it already is. Like I said before: either a
host is secure, then it doesn't matter if an attacker knows
the address, or it isn't secure, then you're "security" is
based on the hope that an attacker won't discover the host.
Depending on firewall capabilities (or lack ofcapabilities) ports may
need to be opened inbound for certain applications to work (e.g..
ident & pptp). A horizontal scan of such a network could produce a
wealth of knowledge, if that network does not support port address
translation.
Ummm... wot? Why would you want to allow any inbound
connections into your LAN? And how would an attacker be able
to scan your network from the outside? For some obscure
reason you seem to assume that using public IP addresses in
your LAN means that the firewall at the perimeter magically
allows access from WAN to LAN. This assumption is wrong.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to
patches becoming available."
--Jason Coombs on Bugtraq
- References:
- RE: NAT external/Public IP
- From: Eric Furman
- RE: NAT external/Public IP
- From: Jason Alexander
- RE: NAT external/Public IP
- From: Grant Donald
- Re: NAT external/Public IP
- From: Ansgar -59cobalt- Wiechers
- RE: NAT external/Public IP
- From: Grant Donald
- Re: NAT external/Public IP
- From: Ansgar -59cobalt- Wiechers
- RE: NAT external/Public IP
- Prev by Date: Vulnerability assesment or scanner Tools
- Next by Date: Re: DMZ - Question
- Previous by thread: Re: NAT external/Public IP
- Next by thread: Re: NAT external/Public IP
- Index(es):
Relevant Pages
|
