Re: NATs are NOT Firewalls

[Daniel Senie <dts at senie.com>]

At 01:34 AM 6/19/2003, Valdis.Kletnieks at vt.edu wrote:

> On Thu, 19 Jun 2003 00:55:49 EDT, S Woodside said:
> > On Wednesday, June 18, 2003, at 06:28  PM, Tomson Eric ((Yahoo.fr))
> > wrote:
> >
> > > Now, the fact that masking the internal addresses to the external
> > > world - so that internal hosts can initiate traffic to the outside,
> > > but no
> > > external host can initiate traffic to the inside - brings some basic
> > > security, is an interesting corollary, but not the primary objective
> > > of a
> > > NAT.
> >
> > Is this just security through obscurity, or something better?
>
> Security through obscurity.  See Bellovin's paper on enumerating through a 
> NAT.

Maybe YOU should read it, and explain how this is useful for attacking the 
hosts behind a NAPT box. The technique described in this paper uses 
variations in the IPid field as evidence of more than one host generating 
packets. Fine. So you plunk a box just upstream of the NAT box, and now you 
can determine how many ACTIVE hosts are talking to sites outside the NAPT box.

Since NAPT uses stateful inspection to operate, it only permits packets in 
to the private network in response to outbound packets. Sitting directly 
upstream of the NAPT box, you could try spoofing reply packets. This would 
work equally well for any stateful-inspection firewall.

So what is really at risk, described in Steve's paper? It is possible to 
determine if NAPT is in use, if the NAPT implementation is insufficiently 
careful in its handling of the IPid field (and likely most do allow 
analysis of this sort). In essence, Steve's paper provides useful 
information for improving NAPT implementations if anyone is worried about 
having upstreams learn of the presence of a NAPT box.

I reject your contention of NAPT as "security through obscurity."