Re: [fw-wiz] NAT Pseudo Security
From: Srini (srao_at_intoto.com)
To: "Lee T. Christie" <Lee.Christie@mosaicinfo.org>, <firstname.lastname@example.org> Date: Tue, 4 May 2004 11:04:37 -0700
> I was wondering what everyone's thoughts were utilizing NAT as your only
> security mechanism, for protection from the Internet. I realize that NAT was
> not designed for security purposes. For instance, if network A is connecting
> to the Internet behind a router performing NAT, no incoming address or port
> forwarding, what are my risks, from outside hosts?
Yes. to some extent. It only protects from connections originated from outside world.
But, there would be packets coming from outside world for the connections that
are originated by your internal machines. You would like to protect your internal machines
from any attack patterns that are embedded in these packets. There would be need for
firewall with deep packet inspection.
There are some complex protocols such as FTP, SIP, H.323, RTSP etc. In these cases,
data connections are made based on IP/Port information sent in control (signalling)
connection. You would like to have Firewall with application intelligence which
punches holes for allowing the data connections, but nothing else.
> The way I see it by
> implementing a SOHO firewall I gain a) Ingress and Egress packet control b)
> Statefull inspection or proxy inspection c) A potentially hardened OS on the
> unit d) Logging and Reporting e) Secure management
Firewalls, even in SOHO, are quite sophisticated. You could have egress filtering
not only based on IP addresses/ports, but also by domain name. They also could do
URL filtering, popup blocking etc and provide user based policies to define the
policies for different users. For example, kids can have one set of policies and parents
can be allowed to access everything. You can monitor the access using logging and
reporting mechanisms etc..
I feel, there is a value in having Firewall, beyond NAT. It could become first defense
into your network, even though it is not cure for Viruses/Worms and sophisticated
> My question is how vulnerable would that network be from outside attacks? Is
> there anyway an outside user would be able to utilize source routing or
> another mechanism to attack an internally NAT'd host?
> Thanks in advance for your responses.
> firewall-wizards mailing list
firewall-wizards mailing list