> From: itojun@xxxxxxxxxx [mailto:itojun@xxxxxxxxxx] > > >Its not exactly a surprise, folk seem to place a higher premium on > >shooting NAT than anything else. Meanwhile the vast majority of > >residential broadband access is behind NAT. > > > >And from a security point I want to see as much NAT as possible. > >Without NAT we would be in a much worse situation security > wise than we > >are today. NAT is a blunt instrument but it shuts down > inbound server > >connects. And that is such a good thing from the point of view of > >stopping propagation of network worms. > (snip) > > a few points. IPv6 technology really needs to be demystified. > > you do not have to rewrite IP address to ensure that there's no > inbound connections. you just have to have a packet > filter which > watches/drops TCP SYN or whatever alike. if you do not > have enough > address space to serve your enterprise, it is a good > reason to use > IPv6 :-) My point here is that the principal objection being raised to NAT, the limitation on network connectivity is precisely the reason why it is beneficial. There is no other device that can provide me with a lightweight firewall for $50. > if > you have RFC3041 > and other tricky systems, your system will have higher > likelyhood of > having implementation bugs (violation of KISS principle). Same can be said of IPv6. We have a lot of really good ways of avoiding issues we don't like: complexity, accessibility, limited access in third world countries. Unless the arguments are applied consistently they should not be made at all. Otherwise they just become special pleading. > even if you stop all inbound connections, malicious > parties which > controls HTTP/whatever servers can inject your end node > any kind of > crufted TCP options, which might cause buffer overflow > (DoS/privilege > user hijacking). As I told Bruce Schneier after his silly IPSEC and Certification Authority papers, security is risk control, not risk elimination. It is not helpful to criticise a security measure that empirically offers a high degree of security for failing to address cases it is not designed to deal with. An HTTP server behind a NAT box is no HTTP server and thus no threat. In a full default deny infrastructure I can allow the HTTP server external access and deal with issues such as HTTP server corruption by requiring the HTTP server to run in an isolated O/S partition so that compromise of the server cannot lead to compromise of the host. > spam, phishing and botnet are independent from > presense/absense of NAT. I can shut down 95% of existing botnets using reverse firewalls. I have yet to find a legitimate network use with an access pattern that remotely resembles the access patern of a production botnet. The approach I propose in the dotCrime Manifesto is that by default the newtork access point throttles outgoing SYN and DNS requests to some large number that is well short of the needs of spammers, DDoS SYN flooding etc. > OSes have to be secured by default, that's all. Linux is ten million odd lines of code. When you have more than a million lines of code you can be certain that at least 50% of the people working on it were below average in talent. Vista is ten times bigger. We simply don't know how to build a secure operating system today. > heavy use of firewall/ > NAT have propagated "false sense of security" inside enterprise The 'security through obscurity' argument is bogus. Back in the early 1990s people were arguing AGAINST the use of shaddow passwords in UNIX on the grounds that they give a 'false sense of security'. I agree that most enterprises have an exagerated idea of what perimeter security can do for them, but that does not mean that the solution is to drop all the firewalls. That is not what is being discussed when people are talking about deperimeterization. > network, and therefore, many of end systems within > enterprise are very > vulnerable to attacks. the most common attack vector > these days are > laptops owned by people like IETFers (goes in and out > of enterprise) > or VPN-connected laptops, which carry worms. so, many > people purchase > end node firewall systems ("fire suit" in the old > terminology), but, > if your end node operating systems are secure by > default, you do not > need those end node firewall systems and/or keep > upgrading signature > files. There is no individual security control that cannot be trumped. Host based security can be disabled if the host is compromised. We don't yet have the trustworthy systems we need to prevent that attack. There is no individual security control that cannot be trumped, but we can deploy combinations of security controls that make it very much harder for an attacker to succeed. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf