Re: NAT Security
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/31/03
- Next message: Shawn Rabourn \(MS\): "Re: disaster recovery/decryption? Possible?"
- Previous message: Bob: "Re: Switch off or not ?"
- In reply to: Todd: "NAT Security"
- Next in thread: Todd: "Re: NAT Security"
- Reply: Todd: "Re: NAT Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Dec 2003 00:24:16 GMT
NAT or basic firewall as it is also called in Windows 2003 provides about the same
level of security as the basic NAT routers you can purchase at Best Buy, etc. For
many or most users connected to the internet, NAT is adequate. It [W2K NAT] does have
some shortcomings in that it does not have the ability to control outbound traffic,
has very limited if any useful logging or intrusion detection, and does not have the
advance stateful packet inspection SPI feature that many of even the low priced
firewalls, such as the Netgear ProSafe line, use. I think at today's prices it makes
sense to use a hardware firewall for the extra protection and features. You can buy
a Netgear ProSafe device for around $70 for a small office/home use. If you need more
throughput and more advanced features including the ability to create a large number
of rules then you may want to look at the lower priced devices from places like Sonic
Wall or Netscreen where you will probably need to spend $300 - $400.
Of course a firewall is only one part of protecting your network that also would
include virus protection, patch management, system hardening, auditing, and password
policy as other major issues to cover. You mention netbios port 139. I hope that was
not showing on your port scanning. An external firewall would protect access to those
ports. You should also make sure that file and print sharing is disabled on the
server if it is not needed and if it is, be sure to disable it on the nic that faces
the internet. You mention port 3387 ? If you meant port 3389, then you have Terminal
Services open to the internet. NAT will not allow you to restrict access from only
certain internet addresses to use Terminal Services which would allow hacking
attempts from anyone who discovers your open port. A firewall should be able to
restrict inbound access to that port based ip addresses you configure as being
allowed.-- Steve
"Todd" <anonymous@discussions.microsoft.com> wrote in message
news:E1842198-2596-421A-8A42-D28A6F4395BA@microsoft.com...
> I have a Win2K box used as a router / gateway to the internet which also hosts my
exchange server, this is enabled with RRAS with NAT ? How secure is this ? When I do
a port scan it seems quite secure with only a few ports open. eg 25 , 3387, 110 etc
and a few more how can I block say 139 Netbios port .... is NAT just dependent on the
services running on that box ? And how secure is this solution ?
- Next message: Shawn Rabourn \(MS\): "Re: disaster recovery/decryption? Possible?"
- Previous message: Bob: "Re: Switch off or not ?"
- In reply to: Todd: "NAT Security"
- Next in thread: Todd: "Re: NAT Security"
- Reply: Todd: "Re: NAT Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
