One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 288598 |
| Date de publication | 2017-01-10 00:22:49 (vue: 2017-01-10 00:22:49) |
| Titre | NAT is a firewall |
| Texte | NAT is a firewall. It's the most common firewall. It's the best firewall.I thought I'd point this out because most security experts might disagree, pointing to some "textbook definition". This is wrong.A "firewall" is anything that establishes a barrier between some internal (presumably trusted) network and the outside, public, and dangerous Internet where anybody can connect to you at any time. A NAT creates exactly that sort of barrier.What other firewalls provide (the SPI packet filters) is the ability to block outbound connections, not just incoming connections. That's nice, but that's not a critical feature. Indeed, few organizations use firewalls that way, it just causes complaints when internal users cannot access Internet resources.Another way of using firewalls is to specify connections between a DMZ and an internal network, such as a web server exposed to the Internet that needs a hole in the firewall to access an internal database. While not technically part of the NAT definition, it's a feature of all modern NATs. It's the only way to get some games to work, for example.There's already more than 10-billion devices on the Internet, including homes with many devices, as well as most mobile phones. This means that NAT is the most common firewall. The reason hackers find it difficult hacking into iPhones is partly because they connect to the Internet through carrier-grade NAT. When hackers used "alpine" as the backdoor in Cydia, they still had to exploit it over local WiFi rather than the carrier network.Not only is NAT the most common firewall, it's the best firewall. Simple SPI firewalls that don't translate addresses have an inherent hole in that they are "fail open". It's easy to apply the wrong firewall ruleset, either permanently, or just for moment. You see this on internal IDS, where for no reason there's suddenly a spike of attacks against internal machines because of a bad rule. Every large organization I've worked with can cite examples of this.NAT, on the other hand, fails closed. Common mistakes shutdown access to the Internet rather than open up access from the Internet. The benefit is so compelling that organizations with lots of address space really need to give it up and move to private addressing instead.The definition of firewall is malleable. At one time it included explicit and transparent proxies, for example, which were the most popular type. These days, many people think of only state packet inspection filters as the "true" firewall. I take the more expansive view of things.The upshot is this: NAT is by definition a firewall. It's the most popular firewall. It's the best firewalling technology. Note: Of course, no organization should use firewalls of any type. They break the "end-to-end" principle of the Internet, and thus should be banned by law. |
| Envoyé | Oui |
| Condensat | ability access address addresses addressing against all alpine already another any anybody anything apply are attacks backdoor bad banned barrier because benefit best between billion block break but can cannot carrier causes cite closed common compelling complaints connect connections course creates critical cydia dangerous database days definition devices difficult disagree dmz don easy either end establishes every exactly example examples expansive experts explicit exploit exposed fail fails feature filters find firewall firewalling firewalls from games get give grade hackers hacking had hand have hole homes ids included including incoming indeed inherent inspection instead internal internet iphones just large law local lots machines malleable many means might mistakes mobile modern moment more most move nat nats need needs network nice not note: of one only open organization organizations other out outbound outside over packet part partly people permanently phones point pointing popular presumably principle private provide proxies public rather really reason resources rule ruleset security see server should shutdown simple some sort space specify spi spike state such suddenly take technically technology textbook than that there these things think this: thought through thus time translate transparent true trusted type upshot use used users using view way web well what when where which wifi work worked wrong |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.