I can think of one king of NAT that would provide a level of security,
something I've been wrestling around with in my head for a few weeks.
Call this the GNAT (Global Network Address Translation) ((It's early,
I'm sick, and I haven't had enough wine)).
The GNAT sits on the periphery, it either is the Internet router, or is
the only device connected to it.
The GNAT knows the address of the few devices that it is connected to:
1. The Internet Router
2. The Web/FTP server
3. The Proxy Server
4. The SMTP Gateway
The GNAT has only one address. The company only advertises one address
to all of the Internet.
The GNAT tracks all established connections, where they are going to,
where they are coming from.
When a connection request comes in (say SMTP), the GNAT looks up it's
table and sees that all SMTP requests are to be directed to the SMTP
Gateway, it forwards the request to the Gateway and performs NAT for the
connection. When it sees a request for HTTP it forwards it to the
appropriate place likewise.
Now when the GNAT sees a request for port 99 (just an example, not to
disparage the upright users of port 99/tcp) it looks in it table and
sees that this port is unused and dumps the packet or sends some form of
error message.
The purpose of the GNAT is to provide 2 things:
1. A singular Global address for a point-of-presence. A company has one
address that hides behind it any number of servers. Simplistic round
robin load balancing should also be fairly easy to add into the setup.
This would also make it easier to expand their Internet servers as
needed and avoid disasters similar to when a local ISP changed the
address of their POP server.
2. A level of Security by Obscurity. S.b.O is in and of itself a Bad
Thing(TM). The GNAT goes a step farther by not even allowing
connections to servers on un-authorized ports. When un-authorized
connections come in, they go to the bit bucket. DOS is still possible,
but DOS is an entirely different problem. The GNAT works by only giving
a predator one tool to work with. One port that can be heavily guarded
and reinforced.
Thoughts, comments?
Chris
All original thoughts, mis-spellings, and mis-fires (c) 1996 Chris
Pugrud
>-----Original Message-----
>From: Russ [SMTP:Russ .
Cooper @
RC .
on .
ca]
>Sent: Wednesday, November 27, 1996 4:24 AM
>To: Firewalls Mailing list; 'Ryan Russell/SYBASE'
>Subject: RE: Cisco's PIX firewall
>
>Ryan said...
>>NAT gives security for two kinds of hosts:
>*
>1. Public hosts...<snip>..."NAT is not really needed in this case, nor
>does it add much security by itself."...<snip>
>*
>2. Internal hosts...<snip>...stuff about no one-to-one mapping...but
>there is a one-to-one mapping to anything that is inside a NAT and is
>going to accept inbound connections...like an internal SMTP server for
>example. Then there's the fact that once an internal host makes a
>connection through a NAT, it can then be tampered with as if there was
>no NAT.
>*
>If someone asked me what security NAT provides, I'd say none at all.
>Firewall-1 and PIX offer security, and, they offer NAT. NAT is not a
>security product, it may obscure things, but it protects nothing by
>itself.
>*
>Cheers,
>Russ
>R.C. Consulting, Inc. - NT/Internet Security Consulting
>mailto:Russ .
Cooper @
RC .
on .
ca <-- *note the new address*
|
|
