[e2e] Re: NAT usage at large companies

davide+e2e at cs.cmu.edu davide+e2e at cs.cmu.edu
Fri Oct 18 09:13:17 PDT 2002

> Unfortunately, it is a misunderstanding to believe that NAT
> provides any security improvement...

You could as easily say "It is a misunderstanding to believe that
locking your front door provides any security improvement".

An approach which (say) moves a machine from vulnerabilities
exploitable by script kiddies to vulnerabilities exploitable only
by "professionals" is *some* increase in security.

> It is generally possible for an attacker to piggyback network
> attacks on sessions for which NAT session state predictably
> exists.  Users are often surprised at how predictable such session
> state happens to be.

I would be surprised to learn of such state exploitable by cookbook
crack scripts.  Either way, I (and, I suspect, other members of
the list) would be interested in any pointers you might have to
descriptions of exploiting predictable session state.

> NAT without some other kind of security (e.g. stateful packet
> inspection firewall) does not provide meaningful security.

An SPI firewall without per-machine virus detectors does not provide
"meaningful" security.  SPI plus virus detectors without hardware
capabilities and audit trails does not provide "meaningful" security.
Et cetera.

Dave Eckhardt

More information about the end2end-interest mailing list