Re: [fw-wiz] NAT Pseudo Security

From: Srini (
Date: 05/04/04

  • Next message: "[fw-wiz] VPN testing utility"
    To: "Lee T. Christie" <>, <>
    Date: Tue, 4 May 2004 11:04:37 -0700

    > I was wondering what everyone's thoughts were utilizing NAT as your only
    > security mechanism, for protection from the Internet. I realize that NAT was
    > not designed for security purposes. For instance, if network A is connecting
    > to the Internet behind a router performing NAT, no incoming address or port
    > forwarding, what are my risks, from outside hosts?

    Yes. to some extent. It only protects from connections originated from outside world.
    But, there would be packets coming from outside world for the connections that
    are originated by your internal machines. You would like to protect your internal machines
    from any attack patterns that are embedded in these packets. There would be need for
    firewall with deep packet inspection.

    There are some complex protocols such as FTP, SIP, H.323, RTSP etc. In these cases,
    data connections are made based on IP/Port information sent in control (signalling)
    connection. You would like to have Firewall with application intelligence which
    punches holes for allowing the data connections, but nothing else.

    > The way I see it by
    > implementing a SOHO firewall I gain a) Ingress and Egress packet control b)
    > Statefull inspection or proxy inspection c) A potentially hardened OS on the
    > unit d) Logging and Reporting e) Secure management

    Firewalls, even in SOHO, are quite sophisticated. You could have egress filtering
    not only based on IP addresses/ports, but also by domain name. They also could do
    URL filtering, popup blocking etc and provide user based policies to define the
    policies for different users. For example, kids can have one set of policies and parents
    can be allowed to access everything. You can monitor the access using logging and
    reporting mechanisms etc..

    I feel, there is a value in having Firewall, beyond NAT. It could become first defense
    into your network, even though it is not cure for Viruses/Worms and sophisticated
    intrusions attacks.

    > My question is how vulnerable would that network be from outside attacks? Is
    > there anyway an outside user would be able to utilize source routing or
    > another mechanism to attack an internally NAT'd host?
    > Thanks in advance for your responses.
    > Lee
    > _______________________________________________
    > firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: "[fw-wiz] VPN testing utility"