[unisog] Anyone doing large scale NAT for their campus?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Sep 21 03:46:10 GMT 2002

On Fri, 20 Sep 2002 13:25:27 EDT, Gerry Sneeringer <sneeri at umd.edu>  said:
> A pair of external security reviews were recently conducted to get an
> outside opinion on the state of security here at Maryland. Both came back
> with a recommendation that we move the entire campus (32,000 active hosts)
> onto non routed addresses and use NAT for access to the rest of the world.
> This has caught my management's attention.

1) NAT was designed to deal with the problem of having a /16 and not being able
to get a /16 of address space.  You already have a /16 allocated, why bother?

2) Poke around the web, you'll find a *LOT* of tools to let a hacker breeze
right through a NAT.  A NAT *by itself* doesn't do *SQUAT* for security
(think about it for a bit).  Now, a *FIREWALL* can do *some* things for
security - but you can deploy a firewall without going to the pain of NAT.

3) Marcus Ranum has described the average NAT/firewall installation's security
as "hard and crunchy on the outside, soft and chewy on the inside".  They get
a foothold on your network in *ANY* way, the NAT doesn't buy you anything
anymore (see point (2)), and realize that if you try to keep people from
connecting to the outside world, you will have your head handed to you on
a platter.

4) As my co-worker Randy Marchany points out every chance he gets, a firewall
doesn't do anything for security, because you *WILL* configure it to pass
port 25 and port 80.  So all you have to do is pass in a trojan on either
of those ports, and refer to point (3).

5) Regarding trojans - are you considering totally banning Outlook *AND* IE
from your network?  Note that even a *fully* patched IE has remaining security
holes in it, and Outlook's security history isn't any better.  See point (4).
All an attacker has to do is identify *ANY* user on your net who has a broken
Outlook (and Outlook will TELL you its build in the X-Mailer: header), send
them a piece of malicious e-mail, and your entire NAT just because totally



So you can tell the management that is interested in doing NAT that *THEY*
get to make the choice between blocking ports 25 and 80, or banning Outlook
and IE (and shooting offenders) - or the NAT won't do anything to *actually*
improve security.  Oh, and if they want to do it anyhow because it gives them
warm fuzzies to "do something", ask them how they'll look if after a major
incident it comes out that they had been told this ahead of time....

				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20020920/9375a608/attachment-0007.bin

More information about the unisog mailing list