Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Hugh Blandford (hugh_at_island.net.au)
Date: 05/28/03
- Previous message: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- In reply to: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul Robertson" <proberts@patriot.net> Date: Wed, 28 May 2003 15:25:49 +1000
Hi Paul et al.,
I recognise what you are saying, but what I was trying to understand was,
are the low-end appliance 'firewalls' really providing much more security
than NAT? In a small office/home situation if people are going to use IRC,
they would just reconfigure their firewall to do so, after all they own it.
I was just trying to get all the 'block xyz outbound' issues out of the way.
Can NAT sessions be hijacked or somehow abused to give access to the
internal network? There is the case of visiting a hostile website and
"inviting in" some problematic programs, but apart from that are the
appliance based firewalls doing more than that?
Thanks,
Hugh
----- Original Message -----
From: "Paul Robertson" <proberts@patriot.net>
To: "Hugh Blandford" <hugh@island.net.au>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, May 28, 2003 12:50 PM
Subject: Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
> On Wed, 28 May 2003, Hugh Blandford wrote:
>
> > Please take into consideration that if they had a firewall, it would be
> > setup to allow all outbound traffic and let the 'responses' back in.
There
>
> That's a silly and mostly specious pre-requisite. For instance, most
> small office users have *no* need for IRC, and given that IRC is *the*
> major control vector for trojaned machines, why the heck would you allow
it
> outbound from a small office? Nuke 6667/tcp outbound and you decrease the
> chance of being owned rather significantly, and you break less than 1/2 of
> 1% of SOHO users.
>
> You shouldn't choose "basically no security policy, now what firewall
> fits?" any more than "Here's a firewall, now what policy should it
> support?"
>
> If we don't try to do better, things won't get better.
>
> You need to look at the threats to such environments and then design
> protecitons to meet the real risks, not choose an arbitrary line in the
> sand then say "I'm going to defend this postion because it's not worth
> doing better."
>
> What's the threat, what's the cost to protect against it, and what's the
> cost of not protecting- without a risk analysis, you're checking the
> security checkbox without doing security.
>
> Paul
> --------------------------------------------------------------------------
--- > Paul D. Robertson "My statements in this message are personal opinions > proberts@patriot.net which may have no basis whatsoever in fact." > probertson@trusecure.com Director of Risk Assessment TruSecure Corporation > > _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- In reply to: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Paul Robertson: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
