Re: NAT is not a mechanism for securing a network.. but.. HELP!
From: Stuart McGraw (smcg4191zz_at_friizz.RimoovAllZZs.com)
Date: 08/25/05
- Next message: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Previous message: Frankster: "Re: Hardware Firewall??"
- In reply to: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Aug 2005 08:42:03 -0600
"Duane Arnold" <notme@notme.com> wrote in message news:Xns96BC9E553FFF4notmenotmecom@216.148.227.77...
> "Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
> news:11gpifl69u6r6b1@corp.supernews.com:
> > "Duane Arnold" <notme@notme.com> wrote in message
> > news:Xns96BC14CD7E264notmenotmecom@63.240.76.16...
> >> "Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
> >> news:11go2gq2n2d2h42@corp.supernews.com:
> >> > "Duane Arnold" <Notme@Notme.com> wrote in message
> >> > news:7QMOe.302032$xm3.164076@attbi_s21...
[...snip...]
> >> > (https://www.watchguard.com/docs/whitepaper/RealFirewall_wp.pdf)
[...snip...]
> > They mention pings and then say "NAT devices, however, respond,
> > letting the hacker know he's found a live connection and an easy way
> > in to the network." Exactly how does a ping response indicate an
> > ***easy*** (my emphasis) way into the network?
>
> Well I can say this, I went to a site that did ping testing with the
> Linksys NAT router at the time and the machines behind the router
> responded to the ping test. I had to go to the BlackIce firewall.ini file
> on the machine and set an ICMP rule in the file to get the machines to
> not respond and pass the tests.
>
> As opposed to using the WG I now use, and I can check on the rule *Do
> not respond to the Ping requests received on the External Network*.
>
> I see the WG responding to the in the WatchGuard syslog by using
> Wallwatcher by passing the inbound request as indicated by a red "P" in
> the logs but no machine behind the router is responding with outbound
> when it happens. This happens in the syslog on a routine basis.
>
> Not once did the Linksys NAT router in its syslog using Wallwatcher
> indicate any ping attempts. Nor did BI show in its logs that it was not
> responding, but BI did allow me to pass the above ping test and I'll
> assume that BI was doing its job at the time.
Sure, but none of that is evidence that the router provided an "easy"
way for hackers to hack into your network which is what the WG white
paper claimed.
BTW, was the Linksys doing IPaddr<->IPaddr NAT, or
IPaddr/Port<->IPaddr/Port mapping? If the latter case, since icmp
packets don't use port numbers how does the router decide which
machine to send the ping packet to?
[...snip...]
> > This is just a small sample of what I was talking about, it would take
> > a day or more to go though the whole paper, and pick out all the
> > incidences of slanted presentation.
>
> I see those as facts. And you're going to have to come up with some kind
> of sold evidence to prove otherwise. And again, that was not the white
> paper or article I got from WG that I have mentioned and the paper was
> not trying to sell anything or slant presentation as you put it.
Slanted writing often does not contain overt errors of fact. Instead it misleads
by making unrelated facts seem related, overstating some things and understating
(or not mentioning others), etc, and generally leaving an impression with a
non-critical reader that is not accurate.
Of course, a lot of this is subjective. So if you say you found it a fair and balanced
presentation of fact than, ok, that's what you think...
Nevertheless, I do not see how you can see the (paraphrased) statement that
"if the firewall responds to pings, there is an easy path for hackers into the network"
as a fact. I do not see how you can see conflating the two unrelated cost-of-intrusion
statistics as not misleading. Or that the default password issue is (in most
cases when the admin has more than half a brain) is a very minor issue that is
exaggerated when presented at the same level as claims that remote intrusion is
possible, and is not limited to NAT routers (a fact they leave out).
> > Lest I be misunderstood, I am not saying that NAT is as secure as a
> > good well configured firewall, that WG products are bad, that
> > firewalls are useless, or even that particular white paper is
> > exceptionally bad. All I am saying is that it is a typical marking
> > whitepaper, designed to sell the company's products and does not
> > present a fair picture of the security differences between NAT routers
> > and firewalls.
>
> My WG uses NAT too because it must map external IP traffic to internal
> LAN IP(s) and is mapping technology. NAT by itself is a very limited
> means of protection from the Internet. I myself would use a NAT router e
> backed by a personal FW solution in the home. I would never use a NAT
> router that just had NAT to protect a business situation, which is what
> that Linksys router turned out to be once SPI was removed -- a simple NAT
> router device. None of the cheap D-link, Belkin, Netgear, Linksys or
> otherwise low-end models would I use to protect a business. But that's
> just me.
I have used NAT and packet filtering several times for small businesses,
never just NAT. But I want to know exactly and factually what the real risks
are, based on documented facts, particularly regarding their claim that there
are tools available that exploit open NAT'd connections. Their white paper
(which I acknowledge is not the one you originally referred to) contained nothing
that helped with that, so I am still looking....
- Next message: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Previous message: Frankster: "Re: Hardware Firewall??"
- In reply to: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
