Re: NAT/Proxy combinations

To: Iljitsch van Beijnum <iljitsch at muada.com>
Subject: Re: NAT/Proxy combinations
From: Peter Dambier <peter at peter-dambier.de>
Date: Mon, 29 Aug 2005 08:19:13 +0200
Cc: Atul Sabharwal <iamatul at comcast.net>, ietf at ietf.org
In-reply-to: <2A7BD540-667A-4605-9625-3BB2BDCC2D09@muada.com>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
Organization: Public-Root
References: <000001c5ab9c$e5346030$63c3650a@ATULSPC> <2A7BD540-667A-4605-9625-3BB2BDCC2D09@muada.com>
Reply-to: peter at peter-dambier.de
Sender: ietf-bounces at ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2) Gecko/20040921

Iljitsch van Beijnum wrote:

On 28-aug-2005, at 8:51, Atul Sabharwal wrote:
Generally, people use NAT or Proxy as firewalls. Would it be more secure to use a NAT Proxy combination ?


In the hand of a hacker NAT is a very useful device. He can safely hide
behind a NAT that rapidly switches ip addresses. Nobody can follow him.

Basically, a NAT is just a simple and general-purpose way to implement a proxy.


It does play the role of a proxy nobody has ordered and nobody does
even no it exists. So it does breake security by providing a
proxy that should bo be there in the first place.

If you define "more secure" as "less likely that random packets will be delivered": sure, put in as much stuff that makes everything less transparent as you can.


In fact it provides a loophole destroying every attept to security from
end to end.

Obviously this won't help against many popular attack vectors which prey upon the gullibility of the typical user, which mostly happen over HTTP or through mail, which don't need a transparent communication channel.


But it provides a great way to break into any established secure link.

Just wait for them to exchange passwords. Break the connection and do
your evil. Dont care any longer and let the connection drop to the
floor. NAT and windows will cope and nobody will ever see a trace in
their logs.

And please don't expect the IETF to make its protocols work through your multiple layers of NAT and proxies.


NAT was never designed for security. NAT was designed as a loophole.
That loophole has improved greatly over time.

All bad things said I would like to mention that a windows computer
wont stay long in the internet if you dont hide them behind NAT

It really does not make a difference wether you proxy on the NAT or
somewhere else except when you proxy after the NAT you proxy after
a proxy. You can replace several proxies by a tunnel through a
low speed data line. In fact that will break SSH wordbook attacks.
Just delay everything longer than the hacker probably waits

Regards,
Peter Dambier


--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- RE: NAT/Proxy combinations
  - From: Nicholas Staff

References:
- NAT/Proxy combinations
  - From: Atul Sabharwal
- Re: NAT/Proxy combinations
  - From: Iljitsch van Beijnum

Prev by Date: Re: STD (was: Last Call: 'Tags for Identifying Languages' to BCP)
Next by Date: Re: [Ltru] RE: STD (was: Last Call: 'Tags for Identifying Languages'toBCP)
Previous by thread: Re: NAT/Proxy combinations
Next by thread: RE: NAT/Proxy combinations
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: NAT/Proxy combinations

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.