Re: home network behind NAT and firewall ?
From: Leythos (void_at_nowhere.lan)
Date: Sat, 19 Feb 2005 14:58:40 GMT
On Sat, 19 Feb 2005 11:18:18 +0900, Gerald Vogt wrote:
> Leythos wrote:
>> Gerald, I have 10 IP on my home service, and I run 4 subnets behind a
>> real Firewall appliance with more than 20 systems at any given time. My
>> firewall provides for the ability to assign both public (not nat) and
>> natted segments, but I use NAT since there is no benefit in running a
>> public IP on any of the systems.
> Well, if there is no benefit you free to do whatever you want to do. I
> pointed out that NAT has been often problematic in the past.
NAT appliances, for the last 5 years, have not been problematic, at least
not in the NAT part.
> It is more
> stable now but you don't really know about the quality of the
> implementations. NAT is vulnerable as protection mechanism. Even the
> perfect implementation of NAT is vulnerable. That is due to the design
> as mapping mechanism of one IP address to many IP addresses which never
> can be perfect. A properly crafted UDP packet send to the right port of
> your NAT device with the right timing will go through and may infect the
> receiving computer behind the device. I don't have the numbers are the
> chances for an attacker are, but you cannot avoid it.
In the last few years the only issues I've seen with routers that provide
nat has been a couple exploits that required the user to have it set in
the default mode and then to visit a site with a specially crafted string
that would reset the router and allow remote control - it was noted
quickly and patched.
>> The given scenario is a perfect example of why the op should have been
>> using a NAT solution - it would keep all the traffic related to their
>> LAN inside their network and it would never have to reach the ISP's
>> device. It would also protect the internal network from malicious
>> external traffic.
> If you use a hardware firewall without NAT you get the same plus you are
> not vulnerable to any problems due to NAT...
You keep talking about any problems with NAT, but the simple fact is that
NAT is not really problematic for the 99% of home users that would
A hardware firewall without NAT is nothing like a being live on the Net,
in fact, you can be as well protected without NAT as long as you use a
real firewall, not some personal software or a router claiming to be a
firewall. The point is that there is no reason to subject the personal
computer to the traffic that being directly connected to the Net would
have them subjected too.
>> Well.... I considered your position and based on the information I had
>> and with the other post, I still suggest that you reconsider NAT for
>> base installations, even those with one IP and one computer. Use of a
>> personal firewall application, weather it's ZoneAlarm, Sygate, SP2 FW,
>> etc... is
> I agree with PFWs. I don't so much agree with SP2 FW if you set it to
> "On", "No Exceptions", and you do not use the Administrator account but
> only a limited user account instead. Someone, who does not do that will
> screw up the hardware router as well. If you turn off the SP2 FW (which
> you can do only as admin) at times, you will put your computer into a
> DMZ. If you allow exceptions you most likely will do that with your HW
> router as well. If you work as Administrator, my guess would be that you
> don't change the default password of your HW router either.
Well, you have to problems with the above - 99% of Windows home/SOHO
users are running as Administrator level accounts on their machines and
they don't know a thing about Exceptions.
If those same users were to purchase a Linksys BEFSR41 unit, or a D-Link
604 unit, and just drop it in place, they would have to make no changes in
most cases and they would eliminate about 80% of the threats to their
> I don't have numbers at hand on this subject, though. These are just a
> couple of thoughts why I doubt you can simply say, HW router is always
> better. I believe that there is no clear advantage on either side. If
> used properly both work the same. If not used properly, neither one will
I don't have numbers either, but I have designs and clients that can back
my statements - using a NAT solution for networks as a first layer means
to protect them is a much superior method than having them on public IP's
with any personal firewall running on their computers.
The key point is that NAT protects, even in the default mode of most of
the cheap devices, far better than a personal firewall for most cases, and
it's not something that the users have to, or need to, configure.
>> Based on the OP's need to share files between two computers, a NAT
>> ROUTER solution is the perfect and optimal method. Anything that puts
>> the two computer on the public network is a security risk when
>> File/Printer sharing is enabled.
> Again, no. That is the purpose of a dedicated firewall. It is not a
> security risk if it is properly set up. NAT does not hide or protect a
> computer from the public network. It is on the network the very same way
> as it is without NAT.
Completely wrong - NAT does not expose the computers directly to the
Internet in any way. The NAT device handles the routing of all traffic
in/out of the network to/from the computers and the Internet, the traffic
between the computers inside the network never reaches the public side of
> The firewall on your NAT router does provide the protection. NAT only
> makes the holes into the firewall to let the traffic through. That way
> it weakens the security a firewall can provide. If one of your computers
> on the inside does contact a file sharing service outside of your
> network, NAT will open the firewall for responses back.
Yes, almost - the router will allow the internal machine to get-back data
from any machine the internal machine contacts FIRST. The external
machines can not share data with the internal machines UNLESS the internal
machines first contact the external machines, and then it's only good for
the session that was started, it does not allow communications once the
session is dropped.
The next point is that a NAT device is not a firewall, you need to stop
thinking of it as a firewall, NAT has nothing to do with the firewalling.
The fact that Marketing types decided to call it a Firewall after a couple
years of marketing does not make it a Firewall.
> A dedicated firewall is setup to block ports you don't want traffic go
> through. If you don't want file sharing you just block it specifically.
> There will never ever any file sharing traffic going through then. No
> NAT can temporarily open a door there. It's just blocked. With a little
> bit more effort you can also set up a fairly good out-going block as
> well and only allow the necessary out-going traffic to ports that you
> really want to use...
And many of the NAT devices also allow port blocking to outbound
destination ports - in fact I always block outbound to ports 135 through
139, 445, 1433/1434, 1026/1027 in those cheap routers. File sharing across
the net should not be done using Windows file sharing methods, that's the
wrong way to do it and it exposes the computer to many thousands of
>> Even if you want to share files between two computers across the net,
>> not on the same ISP, file sharing using MS file sharing methods is
>> still the wrong path to take. The proper path would be to enable PPTP
>> Passthrough on
> We are not sharing files across the net. Sharing files across the net is
> a bad idea and requires something else. We are sharing files on a LAN
> here. That's not ideal, but fairly common and not the total security
> nightmare. If you are afraid of that but IPSec underneath.
If you have the ports exposed to the net then you run a direct risk of
someone reaching them and getting into your computer. Sharing files on
work/personal computers inside the home using a public IP is just plain
silly in todays cheap router/nat world, there is just no reason to subject
yourself and your data to the risks that you know about and the risks that
you don't know about.
> I feel you are a little bit worried if you don't have NAT because of the
> missing added "security". It seems scary in the beginning to know that
> the IP address of your computer in the LAN is actually an internet IP
> and that browsing for example works just like normal if it was connected
> directly. I understand the fear that you may think, if it has an
> internet IP address and it has an open MS filesharing service it may
> happen that your firewall may fail or whatever... It seems safer to have
> a different IP address than you think nothing is going through directly.
No, I have do disillusions about your network, I do this type of stuff for
a living and see networks like yours all the time. We get calls from
compromised businesses that are setup like you have your systems and they
are calling because they've been compromised.
> The mistake here is that the NAT algorithm in between is
> non-deterministic. The whole mapping problem is. Most time is looks good
> and it works and gives you the feeling of security because of the
> different IP addresses. In reality you are as directly connected as with
> NAT and the difference lies in the firewall.
You are completely wrong - you are not "as directly connected as with
NAT". I can show you the logs from a typical NAT device to prove it, in
fact, if you had ever used a NAT Router (like a D-Link or Linksys or
NetGear) you would already know this.
> If you set it up properly
> the dedicated firewall does the same as your NAT firewall but is not
> vulnerable to risks due to NAT as I pointed out before with my example.
> Most bigger companies use firewalls and they work fine. If they are
> using a private network they go through proxies not through NAT.
Proxy or NAT, most companies use a PRIVATE address scheme in their offices
and networks. Sure, you can proxy, but the proxy has two NIC's and one is
inside and one is outside the local network. You would never see a secure
company running with all of their computers on the public network.
A firewall and a NAT router are different devices, they are not even close
As I've said before, any network running with public IP's is not secure, I
don't care how you look at it, a public IP on a company or personal
network is not secure. Sure, there can be exceptions, I'm sure I could
setup a Windows 2000 or 2003 server to be secure while on a public network
(and have), but I'm not about to do it for a secure solution for a
business or personal network.
Most of the people that have home computers, I would guess over 90% of
them, that are connected via cable/dsl directly to the internet would
directly benefit from a NAT device and would have little if any trouble.
Additionally, they would be more secure, have to purchase less software
(personal firewall software) and see a performance boost in their
computers from not having to constantly block the thousands of probes
daily. Oh, and they would not be subject to drive-by hacking attempts
-- firstname.lastname@example.org remove 999 in order to email me