Re: NAT firewalls possibly insecure by nature?

From: Lionel Bouton (Lionel.Bouton@inet6.fr)
Date: 01/11/02


Date: Fri, 11 Jan 2002 18:38:09 +0100
From: Lionel Bouton <Lionel.Bouton@inet6.fr>
To: TWyrick@paulo.com

TWyrick@paulo.com wrote:

>I was following a message thread on the "Slashdot" web-site on Wednesday
>(discussion about the Smoothwall PC firewall product based on Linux), and
>one reader made a comment that surprised me.
>
>He claimed that firewalls using NAT are inherently insecure, because someone
>with enough technical know-how can "trick" it into passing packets back and
>forth bi-directionally, thereby making it "transparent" and letting the
>hacker through to any system behind it.
>
>He then went on to reference a book called "Building Internet Firewalls,
>2nd. Edition", claiming all the info you needed to do this is contained in
>it.
>
>Can anyone confirm/deny the validity of this claim?
>If true, it seems like a software driver could be developed that acts as an
>extra network layer (rather like PPPoE software for Windows works now) which
>would do all of this complex packet modification - and allow any average
>user to tunnel right through NAT firewalls.
>

They are tricks that can occur *after* a connection is established. But
these involves ip theft, or flaws in the NAT implementation not in the
very NAT concept.

Usually the flaws are in connection tracking (needed for FTP, RealAudio,
IRC DCC and the likes) probably because it's the most complex code.

NAT is *not* the solution to all your problems (serious security should
not be based on firewalls only) but the concept is simple and *clean*.

I consider the best firewall filtering technology to be connection
tracking (statefull firewalls). The concept is simple too : the more the
firewall knows on current connections, the less unwanted packets it is
likely to miss and let pass.

NAT+connection tracking is a good combinaison for a wide range of
filtering needs.

LB.



Relevant Pages

  • Checkpoint Firewall-1 NG FP2 NAT Limit
    ... I have come down to a particular issue with my firewalls. ... Yesterday I went to place another rule in the firewall including NAT ... Evernthing was entered in correctly and uploaded the rules to ... When I go to make a connection there was no ...
    (comp.security.firewalls)
  • Re: Linksys hardware firewall enough...?
    ... Most of us know that ROUTING is part of NAT and has ... > nothing to do with firewalls. ... firewall provides routing, NAT, and packet filtering. ... > them that the devices marketed as firewalls, that are only NAT Routers ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?
    ... >The whole reason NAT was implemented was because of a very finite number of publicly routable IP addresses. ... The first firewalls I built offered NAT (inherent in the design and then later via ... "Proxy transparency" in Gauntlet) because a lot of the early firewall customers ... re-address their network or NAT ...
    (Firewall-Wizards)
  • Re: Schaltung, um mit PT100 oder PT1000 ...... PAUSE WG. URLAUB
    ... dass es auch HW Firewalls gibt. ... obwohl die Seite ziemlich polemisch ist - ich nehme an, ... NAT ist _der_ Schutz vor aktiven Angriffen von aussen. ... Der Rest der Risiken ist dann ...
    (de.sci.electronics)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... >> one of their firewalls). ... >> But there was one claim that sounded like a serious problem for NAT ... >> device opens a port by putting it in the NAT table, ... way into the network? ...
    (comp.security.firewalls)