From: Scott Gifford [mailto:sgifford@tir.com]
Sent: Monday, September 10, 2001 10:30 AMRoeland Meyer <rmeyer@mhsc.com> writes:
> Any current protection is strictly the
> result of a side-effect. The side-effect that breaks the internet
> connection. It's a result of the connection being broken.
> A properly built
> firewall is much more effective and definitely more
> deterministic. Neither is it vulnerable to a "fix patch".I don't understand what kind of "fix patch" you're talking about
here...NAT uses the same techniques that a stateful firewall uses; if
you can find some kind of "fix patch" to bypass NAT, chances are
excellent it will work on a stateful firewally, too.
Mot so. What is needed to truely fix NAT is to propogate the translated
addresses, both ways. This would give you an address product like <Inet
:<NAT addr>. The problem is that almost no stack, that I know of, can
deal with such a form. The reason NAT works is that you only lose one side
and the other side doesn't know that you've lost it.
I've actually seen the question of how NAT breaks the Internet more
than a good stateful firewall come up more than once, and haven't
really seen a satisfactory answer. Where does a stateful firewall
configured to only allow outgoing connections work that NAT doesn't?
The difference is determinism. You control, to very fine detail, how a
firewall works. Things that don't work are intended to not work. Firewalls
aren't accidents. NAT address propogation failures are, they are not
consistent, and can't be relied upon to continue. Who knows, some genius,
somewhere, may fix it tomorrow. Lord knows, there is sufficient incentive to
do so. If that happens, your security is toast, if all you are relying on is
NAT, rather than putting up a real firewall.