31

Possible Duplicate:
Switch to IPv6 and get rid of NAT? Are you kidding?

I'm thinking about the way that in IPv4 most of the time you have a single point to configure a firewall on, mainly your router, but if everybody has a Globally Accessible IP Address, doesn't that mean that each computer user is basically responsible for managing their own firewall?

(I mean I'll admit the same is true when using a public wifi access point, but still...)

Community
  • 1
leeand00
  • 4,807
  • 13
  • 64
  • 106
  • 6
    This has been discussed a few times on this site, but I can't find the other questions at the moment. The basic thing is that *all* edge devices will be forced into a `deny-all` default, which will mean that it's no more insecure than it is now – Mark Henderson Oct 27 '11 at 04:03
  • 2
    The designers of IPv6 were not completely incompetent. IPv6 might not be perfect, but it's arguably better than IPv4 in every meaningful way. There are quite a few [IPv6 questions on SF already covering both theory and implementation of IPv6](http://serverfault.com/questions/tagged/ipv6?sort=votes). – Chris S Oct 27 '11 at 13:17
  • 1
    do you actually think nat protects you from internet network threats? think again. – The Unix Janitor Nov 08 '11 at 04:50
  • 1
    @user37899 Well no, but it certainly narrows down the number of ip addresses where things can go wrong. – leeand00 Nov 08 '11 at 16:16

5 Answers5

54

IPv6 gets rid of NAT, which has certainly been a large part of avoiding accidental exposure of services to the internet from internal hosts.. so in that way, yes, it's a change to how most everyone is doing things.

However, it doesn't at all mean that you won't still have a central firewall at the network edge - the change is simply that it'll be acting as a pure firewall instead of a firewall/NAT device. It'll just be up to the people managing those firewalls to make sure to avoid accidentally exposure of services; fire up the deny rules!

Getting rid of NAT is a big change to network security practices, and there will certainly be times before too long that we hear about some accidental information exposure breaches due to misconfigured firewalls and IPv6. But NAT has always been a hack, and getting the firewalls out of the business of tracking all of those connections and fake connections for stateless protocols and port translations will be a good thing in the long run - less complexity sounds good to me!

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 6
    Could not agree more. – Ignacio Vazquez-Abrams Oct 27 '11 at 03:44
  • NAT still exists on IPV6, while many people will just forget that it exists someone will find a very valid use for it. – Silverfire Oct 27 '11 at 03:52
  • 2
    @Silverfire The only standard translation mechanism that I'm aware of is NAT64; I'm tempted to invoke the "RFC or it didn't happen" rule ;) – Shane Madden Oct 27 '11 at 04:05
  • @Silverfire Are you talking about the non-routable addresses in IPv6? That are similar to the 192.168.*.* range of addresses in IPv4? – leeand00 Oct 27 '11 at 05:05
  • If you are not using a system that cryptographically verifies packet headers (which would be inconvenient for a number of reasons, e.g. TTL) I don't see why you should not be able to translate addresses in IPv6. In a well-executed IPv6 deployment you should not have cause to, but you know what they say about theory and practice. – drxzcl Oct 27 '11 at 07:38
  • 3
    NAT66 is not like NAT4, it maps one IP range to another. In IPv4 NAT, you have one external IP and the NAT box keeps track of connections to multiple internal IPs. NAT66 simple rewrites one IPv6 address to another. Allowing a network to use consistent internal IPs regardless of the external IPs assigned by one or more ISPs. Computer are routable by the external IPs, and the single point of failure of the NAT box is eliminated because it doesn't have to keep track of the connections anymore. It's really not the same thing is my point. – Chris S Oct 27 '11 at 13:25
  • @Chris S - "Allowing a network to use consistent internal IPs regardless of the external IPs assigned by one or more ISPs." - You don't need to use NAT66 for this. All IPv6 devices have link-local (and site-local) addresses for exactly this case. – Mike Nov 01 '11 at 10:57
  • @Mike, And companies that span multiple sites? NAT66 isn't required at all; it's entirely possible to live on IPv6 without it (I'm really not trying to compare it to NAT4, which is essentially necessary because of address exhaustion). But the tech *could* make some administrative tasks easier. Especially since some of the technologies baked into IPv6 (eg renumbering) are half-baked at best. [RFC 4864](http://tools.ietf.org/html/rfc4864) discusses exactly how traditional NAT is completely unnecessary in IPv6; but also admits IPv6 has several shortcomings in specific cases. – Chris S Nov 01 '11 at 12:35
  • @Chris - companies with multiple sites should use unique local addresses (ULA). They should also probably operate a DNS server and access all resources through named addresses rather than IPs. – Mike Nov 02 '11 at 11:15
  • @Mike, that's all well and good until your ISP renumbers (assuming you allow that feature, which security issues and could be a DoS vector); computer in various locations now have outdated DNS records cached; even after the computers register their new IP, DNS propagates to the local DNS servers, and the local caches expire; there's going to be very noticeable downtime. Setting the record TTL extremely low might curb this problem, but introduces its own problems. I'm not saying this can't be worked around, but NAT66 could be a legitimate stopgap solution. – Chris S Nov 02 '11 at 12:31
  • @Chris - ISPs don't renumber ULAs - in fact they have no control over them and ideally should not be aware of their existence. Set up IPSec links between all the sites (endpoints terminate at ISP provided IPs) which carry the ULA packets as the payload. I.e. no different from IPSec on IPv4. – Mike Nov 03 '11 at 08:21
14

No it is not a nightmare. NAT and private addresses were not created for security reasons, they were created because IPv4 addresses have been running out.

I’ll admit that using public IPs seems scary, but for security, you should trust your FIREWALL, not your NAT.

Read this another question on server fault about this same point. A lot of standards that spoke about NAT as security have changed, as an example the PCI-DSS standards were amended in late October 2010 and the NAT requirement was removed (section 1.3.8 of v1.2).

If you don't stop that fear then you will never have all the advantages of incredible technologies like Windows 7 Direct Access.

Community
  • 1
Ricardo Polo Jaramillo
  • 2,039
  • 1
  • 18
  • 35
  • I was worried that the network edge device would no longer contain a firewall, and thus you would have to configure it on all of the users machines in lew of it. But I'm learning that this isn't a valid concern, since the firewall is still located on the edge device and the traffic to the rest of the hosts on the network still passes through the edge device and thus it's firewall. Forgive me, I'm not technologically old enough (in networking) to remember a time without NAT. – leeand00 Oct 27 '11 at 05:13
  • 1
    I like NAT. Not least of all because it's just that much harder to identify individual machines. Without NAT you have a direct address to target. i.e. NAT adds a layer of protection above and beyond the firewall itself. – John Gardeniers Oct 27 '11 at 11:34
  • Whether it was created for security reasons is separate from whether it has had a security _effect_ [even if one characterizes that effect as "creating an arguably 'false' sense of security therefore making people less likely to implement real security features"] – Random832 Oct 27 '11 at 13:53
  • 2
    @JohnGardeniers: Your concern is why IPv6 added temporary private addresses. Windows uses them by default. What it does is outgoing connections use a randomized temporary address. Incoming connections can connect to the permanent system address if you have publicized it. – Zan Lynx Oct 28 '11 at 08:57
4

Every computer should already be responsible for managing their own firewall.

that said, just because you loose NAT does not mean you loose all the benefits (You can still have NAT on ipv6) You can still have stateful firewalls on routers and other firewall rules can be added too in a simmilar way as ipv4.

The only difference is that you may be able to identify the exact computer from within a private network and if thats a problem you can install NAT.

Its still possible to block random port scans ect.. from a router

Silverfire
  • 780
  • 4
  • 14
  • 3
    In your comment "every computer should already be responsible for managing their own firewall", I hope you do not advocate host-based security over network based security at the network edge. That would be silly on at least three levels. – drxzcl Oct 27 '11 at 07:35
  • @ranieri Not at all, im only saying that you cant solely throw a computer behind a NAT firewall and expect the entire network to be secure. Its also a waste to let traffic you know you want blocked to take up bandwidth on a network as well. In the absence of L3 switches anyone within the network could target a computer and host-based security is required, however both are recommended. You could replace network security with host-based security but as you said, it wouldn't be ideal. – Silverfire Oct 28 '11 at 03:47
  • @drxzcl silly on what levels? – curiousguy Sep 15 '13 at 16:40
  • @curiousguy The obvious one is that you have to properly configure N firewalls instead of one. That's N-1 more opportunities to make fatal mistakes. Another is that you are exposing more (possibly buggy) computers and devices to attacker traffic, dramatically increasing your attack surface. The third is that, by treating your LAN as an insecure network, you lose nearly all of the benefits of having a LAN in the first place in terms of sharing local resources. Note that is a defense of edge based security, not of NAT. NAT is a kludge that needs to die. – drxzcl Sep 19 '13 at 15:06
3

This question is based on the common misconception that because NAT inadvertently provides some security, it's a firewall technology. This misconception can be cleared up with a simple thought experiment: Imagine an IPv4 NAT box that only has one client. It could, if it wanted to, forward all inbound traffic to that client and filter nothing at all, providing no security whatsoever. So why aren't you worried about that?

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
1

Many universities (and several large companies) have valid, routable IP's on every single computer. That does not mean there is not a gateway firewall device. It doesn't mean you can reach that device from the internet either. Most of the time, the firewalls are set to block all traffic by default.. It does, however, guarantee that their computer is on a globally unique address.

If you use NAT, things just plain get nasty.. IE, you want to setup a VPN between you and your customer, but you both have internal networks of 192.168.1.x.. this means, you have to then NAT the natted connections, to make them appear to be a different internal only IP, which makes things just get ugly in a hurry. ( I have to do that with 5 other companies we have VPN's with)

Brian
  • 1,213
  • 2
  • 14
  • 24