Re: NAT/Proxy combinations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Iljitsch van Beijnum wrote:
On 28-aug-2005, at 8:51, Atul Sabharwal wrote:

Generally, people use NAT or Proxy as firewalls. Would it be more secure to use a NAT Proxy combination ?


In the hand of a hacker NAT is a very useful device. He can safely hide
behind a NAT that rapidly switches ip addresses. Nobody can follow him.


Basically, a NAT is just a simple and general-purpose way to implement a proxy.

It does play the role of a proxy nobody has ordered and nobody does
even no it exists. So it does breake security by providing a
proxy that should bo be there in the first place.


If you define "more secure" as "less likely that random packets will be delivered": sure, put in as much stuff that makes everything less transparent as you can.

In fact it provides a loophole destroying every attept to security from
end to end.


Obviously this won't help against many popular attack vectors which prey upon the gullibility of the typical user, which mostly happen over HTTP or through mail, which don't need a transparent communication channel.

But it provides a great way to break into any established secure link.

Just wait for them to exchange passwords. Break the connection and do
your evil. Dont care any longer and let the connection drop to the
floor. NAT and windows will cope and nobody will ever see a trace in
their logs.


And please don't expect the IETF to make its protocols work through your multiple layers of NAT and proxies.


NAT was never designed for security. NAT was designed as a loophole.
That loophole has improved greatly over time.

All bad things said I would like to mention that a windows computer
wont stay long in the internet if you dont hide them behind NAT

It really does not make a difference wether you proxy on the NAT or
somewhere else except when you proxy after the NAT you proxy after
a proxy. You can replace several proxies by a tunnel through a
low speed data line. In fact that will break SSH wordbook attacks.
Just delay everything longer than the hacker probably waits

Regards,
Peter Dambier


--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter@xxxxxxxxxxxxxxxx
http://iason.site.voila.fr
http://www.kokoom.com/iason


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]