Re: home network behind NAT and firewall ?
From: Gerald Vogt (vogt_at_spamcop.net)
Date: 02/19/05
- Next message: smooter: "Re: Norton Internet Security 2005 Personal Firewall slows down Windows XP startup"
- Previous message: kurt wismer: "Re: Best to use Zone Alarm or Avast for email protection?"
- In reply to:(deleted message) Leythos: "Re: home network behind NAT and firewall ?"
- Next in thread: Leythos: "Re: home network behind NAT and firewall ?"
- Reply:(deleted message) Leythos: "Re: home network behind NAT and firewall ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Feb 2005 09:15:44 +0900
Leythos wrote:
> On Sat, 19 Feb 2005 00:15:18 +0900, Gerald Vogt wrote:
>>This is incorrect. First of all, I assume here that you do not mean a
>>NAT router but a router/firewall with SPI and NAT translation.
>
> First, lets get one thing clear, a ROUTE that provides NAT and implements
> SPI is not a firewall. It has some firewall like features, but is not a
> true firewall.
Yes and Yes. That is what I was saying.
> Actually, SP2 and personal firewall applications running on their personal
> computer are very subject to compromise and misconfiguration in addition
> to any undiscovered flaws in the OS.
Again you have to differeniate between flaws of the firewall itself
which my the system vulnerable and the OS flaws. The OS flaws are there
one way or the other. Therefore they are irrelavent for this very issue.
SP2, PFWs and any hardware firewall as well is subject to compromise and
misconfiguration. (side-note: I guess 50% of the hardware
firewall/routers with wireless are actually wide open because completely
unconfigured, thus statistically it may even be that more
firewall/router are extremely vulnerable than others.)
> A NAT router, even without SPI, does not expose the user to anywhere near
> the level of threat that running without one would/does.
Irrelevant. We never compared any solution against running nothing. We
were comparing software and hardware firewalls.
> While there have been exploits for CISCO and also the cheap routers with
> NAT, they have been fixed and are required certain configurations to
> exploit. The typical users software firewall, including SP2, is very
> subject to being disabled by a virus/trojan or even spyware, and that's
> just for what is known currently.
Note: A hardware firewall/router may as well be reconfigured from the
inside. If I think that so many wireless routers are in default
configuration, I would assume that there are as many or even more
routers without wireless in default configuration. It should be
extremely easy for an interuder in many cases to just configure the HW
FW to open a port forward...
> 1) Inbound, unauthorized, traffic - a router with NAT will better protect
> the users computer(s) than a personal firewall will for this type of
> threat.
And never said anything against that. Nowhere. Read it again. I may just
wrote "firewall" the first time but I told you I meant a real hardware
thing, not the software thing.
A hardware firewall without NAT protects your system better than a NAT
router/firewall better than SP2 FW better than PFW. (O.K. It's
incorrect, too, because the NAT router/firewall is not really a router
but a gateway...)
> 2) Outbound, unauthorized, a personal firewall is capable of stopping this
> type of threat, but only of the user is smart enough to not compromise the
> firewall themselves. In many cases users will permit outbound without
> understanding what they are allowing. This represents a serious threat to
> users and their information.
Something like that is what I am telling people all the time. And still
you are wrong. A PFW is only capable of stopping some of this threats.
This is easy to circumvent just by tunneling through IE for example.
Only applications that nicely cooperate with the PFW will be detected.
But people unfortunately believe it works always and everywhere...
> In all cases, for a typical home user, NAT is the first and primary method
> that should be implemented, there is very little that NAT interferes with
> that home users are impacted by. File sharing is one, but most home users
> are not permitted to run file sharing services in their ISP's acceptable
> use policy.
You change subject and mix various different scenarios which you never
define. It does not make much sense to reply with solutions for the
typical home user without defining it (although we probably have about
the same idea of him) to an answer in a specific scenario that is given
here... (For the typical home user that has a NAT device is does not
matter if ISPs block file sharing or not, or allow it or not. It never
crosses the device.)
> I would never setup a home user without a NAT router device with NAT
> enabled, users are basically ignorant by choice and that means they are
> very vulnerable.
You usually don't have a choice. Here you have.
> You should reconsider your position on NAT for home/small users, even
> single computer users.
You should really read what you are answering to. The given scenario
allows to avoid NAT, so you should do. Most people don't have the option
and have to use NAT because they only have on IP address available. If
you can have more, don't use NAT. NAT is a way to make holes into your
firewall to allow responses to out-going requests. Why do you want to do
that if you are not required to?
Anyway, taking my answering for a specific scenario and telling me to
reconsider my position for home/small users is, well, ...
Gerald
- Next message: smooter: "Re: Norton Internet Security 2005 Personal Firewall slows down Windows XP startup"
- Previous message: kurt wismer: "Re: Best to use Zone Alarm or Avast for email protection?"
- In reply to:(deleted message) Leythos: "Re: home network behind NAT and firewall ?"
- Next in thread: Leythos: "Re: home network behind NAT and firewall ?"
- Reply:(deleted message) Leythos: "Re: home network behind NAT and firewall ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
