Firewall Wizards mailing list archives

RE: NAT Pseudo Security

From: "Sloane, David" <DSloane () vfa com>
Date: Tue, 4 May 2004 12:25:04 -0400

Lee,

How secure are your workstations which access the Internet?  Do users
have limited local-system privileges while accessing the web?  Do you
restrict potentially risky browser functions (Java?  ActiveX?
JavaScript?) at the workstation level?  At a proxy?  Do you have
peer-to-peer applications running outbound traffic from your network?
Do you have remote-control applications running outbound from your
network (VNC, PlaceWare, GoToMyPC)?

If your workstations aren't hardened in some fashion, they'll pick up
all kinds of junk through "normal" web surfing.  If you don't do any
egress filtering, curious/creative/malicious/bored/reckless people will
take risks with the Internet whether or not they mean to.

Even with egress-only access to the Internet, there are plenty of risks
to go around.  On Windows machines, Internet Explorer and Outlook
provide a variety of openings for unsuspecting or reckless users to have
their machine taken over, even with all the patches applied.

Even if you only allow port 80 out, unless you're managing the traffic
or the workstations (or, even better, both) pretty tightly, you'll still
get p2p, streaming media, and remote control applications "tunneling"
out and bringing back all manner of nastiness.

This is why Managed Personal Firewall and Anti-Virus vendors make so
much money - the flaws in  Windows-based systems and the prevalence of
Local-Superuser privileges make bad code very hard to keep out.

So, to your question, a real firewall is one of the cheapest measures
you can take to secure your network.  But it's really just the
beginning.

-David

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Lee T.
Christie
Sent: May 04, 2004 10:25 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] NAT Pseudo Security


I was wondering what everyone's thoughts were utilizing NAT as your only
security mechanism, for protection from the Internet.  I realize that
NAT was not designed for security purposes.  For instance, if network A
is connecting to the Internet behind a router performing NAT, no
incoming address or port forwarding, what are my risks, from outside
hosts?  The way I see it by implementing a SOHO firewall I gain a)
Ingress and Egress packet control b) Statefull inspection or proxy
inspection c) A potentially hardened OS on the unit d) Logging and
Reporting e) Secure management

My question is how vulnerable would that network be from outside
attacks?  Is there anyway an outside user would be able to utilize
source routing or another mechanism to attack an internally NAT'd host?


Thanks in advance for your responses.

Lee
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: NAT Pseudo Security, (continued)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
  - RE: NAT Pseudo Security Ben Nagy (May 05)
    - RE: NAT Pseudo Security Paul D. Robertson (May 05)
    - RE: NAT Pseudo Security Frank Knobbe (May 05)
    - RE: NAT Pseudo Security Paul D. Robertson (May 05)
    - RE: NAT Pseudo Security David Lang (May 06)
- Re: NAT Pseudo Security salgak (May 04)
  - VPN testing utility lordchariot (May 04)
  - Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
  - RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)