Re: [fw-wiz] NAT Pseudo Security

From: R. DuFresne (
Date: 05/05/04

  • Next message: Chuck Swiger: "Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)"
    Date: Wed, 5 May 2004 12:19:25 -0400 (EDT)

    one of the main tenents of security is the approach of layering in
    security, not relying upon just one application/package/approach, as
    security is a wedge or afterthought addon, it was not and remains not
    something built into tcp/ip. Thus, relying upon one method or layer of
    'protection' might not fully protect the assets at risk. NAT iis but one
    method or layer, and should be reinforced with additional measures to
    protect the assets being guarded. Also, NAT alone will not protect your
    neighbors should your systems get trojaned or hit with the latest flurry
    of nasty-mail viruses floating about.


    Ron DuFresne

    On Tue, 4 May 2004 wrote:

    > > -----Original Message-----
    > > From: Lee T. Christie []
    > > Sent: Tuesday, May 4, 2004 02:25 PM
    > > To:
    > > Subject: [fw-wiz] NAT Pseudo Security
    > >
    > > I was wondering what everyone's thoughts were utilizing NAT as your only
    > > security mechanism, for protection from the Internet. I realize that NAT was
    > > not designed for security purposes. For instance, if network A is connecting
    > > to the Internet behind a router performing NAT, no incoming address or port
    > > forwarding, what are my risks, from outside hosts? The way I see it by
    > > implementing a SOHO firewall I gain a) Ingress and Egress packet control b)
    > > Statefull inspection or proxy inspection c) A potentially hardened OS on the
    > > unit d) Logging and Reporting e) Secure management
    > In my year at a dot-com, I came in to find NAT was being used as a firewall. I fixed THAT shortly after I took over as admin. I also replaced Symantec with SOPHOS, as our subscription was ending and at the time, an auto-update function of Symantec corporate had the nasty habit of crashing our domain controller. . . .
    > ANY firewall is better than NO firewall, period. . .
    > _______________________________________________
    > firewall-wizards mailing list

            admin & senior security consultant:
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    firewall-wizards mailing list

  • Next message: Chuck Swiger: "Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)"

    Relevant Pages

    • Re: My words
      ... Internet Connection Firewall for SP1 and Windows Firewall for SP2 ... download all the security updates - Critical updates with Express ... Get into Safe Mode and password protect it. ...
    • [NEWS] Lotus Domino View ACL Bypass
      ... Lotus Domino View ACL Bypass ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... A Lotus Notes database contains documents that are organized into views. ... nor are they intended to protect the documents they ...
    • Re: BEWARE: New EULA lets MS ADMIN YOUR Systems!
      ... Microsoft and owners of content secured with Windows Media DRM to limit the ... Digital Rights Management (Security). ... You agree that in order to protect ... Microsoft may provide security related updates to the OS ...
    • Re: Front End/Back End communication
      ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
    • Re: Finally, a secure computer
      ... > security at the IBM website is compromised, ... Therefore it is extremely unlikely that any hacker ... > a tiny system served by IIS or the PWS protect himself with the same ... > ICF which does not listen on ports but only opens to responses to messages ...