Re: [fw-wiz] NAT Pseudo Security

From: Srini (srao_at_intoto.com)
Date: 05/04/04

  • Next message: lordchariot_at_earthlink.net: "[fw-wiz] VPN testing utility"
    To: "Lee T. Christie" <Lee.Christie@mosaicinfo.org>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 4 May 2004 11:04:37 -0700
    
    

    > I was wondering what everyone's thoughts were utilizing NAT as your only
    > security mechanism, for protection from the Internet. I realize that NAT was
    > not designed for security purposes. For instance, if network A is connecting
    > to the Internet behind a router performing NAT, no incoming address or port
    > forwarding, what are my risks, from outside hosts?

    Yes. to some extent. It only protects from connections originated from outside world.
    But, there would be packets coming from outside world for the connections that
    are originated by your internal machines. You would like to protect your internal machines
    from any attack patterns that are embedded in these packets. There would be need for
    firewall with deep packet inspection.

    There are some complex protocols such as FTP, SIP, H.323, RTSP etc. In these cases,
    data connections are made based on IP/Port information sent in control (signalling)
    connection. You would like to have Firewall with application intelligence which
    punches holes for allowing the data connections, but nothing else.

    > The way I see it by
    > implementing a SOHO firewall I gain a) Ingress and Egress packet control b)
    > Statefull inspection or proxy inspection c) A potentially hardened OS on the
    > unit d) Logging and Reporting e) Secure management

    Firewalls, even in SOHO, are quite sophisticated. You could have egress filtering
    not only based on IP addresses/ports, but also by domain name. They also could do
    URL filtering, popup blocking etc and provide user based policies to define the
    policies for different users. For example, kids can have one set of policies and parents
    can be allowed to access everything. You can monitor the access using logging and
    reporting mechanisms etc..

    I feel, there is a value in having Firewall, beyond NAT. It could become first defense
    into your network, even though it is not cure for Viruses/Worms and sophisticated
    intrusions attacks.

    >
    > My question is how vulnerable would that network be from outside attacks? Is
    > there anyway an outside user would be able to utilize source routing or
    > another mechanism to attack an internally NAT'd host?
    >
    >
    > Thanks in advance for your responses.
    >
    > Lee
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: lordchariot_at_earthlink.net: "[fw-wiz] VPN testing utility"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
      (microsoft.public.security)
    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
      (Security-Basics)
    • Re: Entire Network
      ... Internet access is different and just because a firewall isn't ... Second, if it isn't the firewall, then often it is a case of the system ... any way a network guru. ... > The network connection works just fine from both computers for internet ...
      (microsoft.public.windowsxp.basics)
    • Re: Problem configuring NAT to share Internet Connection
      ... Posting on MS newsgroup will benefit all readers and you may get more help. ... How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com ... Internet protocol is Router V3 ... > finally I have 3 network connections, 2 corresponding with NIC A and NIC B ...
      (microsoft.public.win2000.ras_routing)