Re: NAT vs. True Firewalls
From: Jamie Beverly (jbeverly4@comcast.net)Date: 03/08/02
- Next message: scan: "Re: Need a port scan 166.82.95.103"
- Previous message: vzktij@comcast.net: "5 dollar emails"
- In reply to: William Stacey: "Re: NAT vs. True Firewalls"
- Next in thread: Kevin Davisł: "Re: NAT vs. True Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jamie Beverly" <jbeverly4@comcast.net> Date: Fri, 08 Mar 2002 00:30:07 GMT
"William Stacey" <staceyw@ameritech.net> wrote in message
news:u8djn41qhsbg23@corp.supernews.com...
> Funny, I just had this discussion on a UNIX ng. In my view, a Firewall
does
> not just mean packet filter. A firewall can be made up of one or more
> components that can block or filter protocol traffic between two networks.
> OReilly's "Building Internet Firewalls" says a firewall is "A component or
> set of components that restricts access between a protected network and
the
> Internet." So a NAT can be as much part of a firewall implementation as
the
> packet filter. By this definition, a firewall can contain either a packet
> filter or NAT or both (or other current or future component.)
>
> I think the confusion is what type of NAT are we talking about - simple
NAT
> or NAT with stateful inspection? More UNIX people think of NAT in terms
of
> a simple NAT on a router. Most Windows people are familiar with stateful
> NATs such as the one in w2k's RRAS and Winroute, etc. Both of these
> products, for example, are secure. By default they will not allow any
> traffic to flow passed the NAT router unless you define a port map to
allow
> it. IMO, they do protect the LAN behind them. How do they not? Any
> examples? Specific weaknesses in an implementation (I don't know of any
in
> winroute's or RRAS NAT off top of my head, but I am sure they exist) is
> different. However the concept is as strong as you can get.
Winroute and RRAS both provide firewall functions, such as packet inspection
and filtering, hence are more than a statefull NAT.
However, to answer your question, there are two possibilities for intrusion
with a statefull nat with no packet filtering whatsoever, ignoring
vulnerabilites of the NAT itself. First, if you port-forward to any service
inside the NAT, and that service has security vulnerabilities, a NAT on its
own provides no means to disallow suspect packets. Second, and a bit more of
general concern, if a would be intruder has, or can gain, access to other
hosts on your NAT's segment, the intruder can masq (or spoof) packets to
appear to originate from within your NATs private segment. A firewall allows
you to specify rules like if a rfc1918 address comes in on the external
iface, drop it on the floor.
>
> They do not, however, provide any filtering or protection for the public
> interface/IP they are NATing. For this, you will still need a packet
> filter/firewall. So when you say "a NAT has nothing to do with security
but
> exists to provide more IP addresses", I would tend to disagree with the
> first part because many people are using stateful NAT for both those
> reasons - security and public IP sharing. Look forward to your reply. I
> would like to know if NAT with stateful inspection can be compromised as
we
> should all be aware of this.
I agree with your statement that many people are using NATs alone for
security. People have also been known to draw a series of circles and dots
on their arms to prevent 'kooties.' Yes a NAT with statefull inspection is
more difficult to comprimise, as it is actualy a simple firewall (statefull
inspection is a firewalling technology) but it could be easily comprimised
depending on the rule sets you define.
> Cheers!
>
> --
> William Stacey, MCSE
>
>
- Next message: scan: "Re: Need a port scan 166.82.95.103"
- Previous message: vzktij@comcast.net: "5 dollar emails"
- In reply to: William Stacey: "Re: NAT vs. True Firewalls"
- Next in thread: Kevin Davisł: "Re: NAT vs. True Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
