Firewall Wizards mailing list archives
Re: NAT Pseudo Security
From: "Srini" <srao () intoto com>
Date: Tue, 4 May 2004 11:04:37 -0700
I was wondering what everyone's thoughts were utilizing NAT as your only security mechanism, for protection from the Internet. I realize that NAT was not designed for security purposes. For instance, if network A is connecting to the Internet behind a router performing NAT, no incoming address or port forwarding, what are my risks, from outside hosts?
Yes. to some extent. It only protects from connections originated from outside world. But, there would be packets coming from outside world for the connections that are originated by your internal machines. You would like to protect your internal machines from any attack patterns that are embedded in these packets. There would be need for firewall with deep packet inspection. There are some complex protocols such as FTP, SIP, H.323, RTSP etc. In these cases, data connections are made based on IP/Port information sent in control (signalling) connection. You would like to have Firewall with application intelligence which punches holes for allowing the data connections, but nothing else.
The way I see it by implementing a SOHO firewall I gain a) Ingress and Egress packet control b) Statefull inspection or proxy inspection c) A potentially hardened OS on the unit d) Logging and Reporting e) Secure management
Firewalls, even in SOHO, are quite sophisticated. You could have egress filtering not only based on IP addresses/ports, but also by domain name. They also could do URL filtering, popup blocking etc and provide user based policies to define the policies for different users. For example, kids can have one set of policies and parents can be allowed to access everything. You can monitor the access using logging and reporting mechanisms etc.. I feel, there is a value in having Firewall, beyond NAT. It could become first defense into your network, even though it is not cure for Viruses/Worms and sophisticated intrusions attacks.
My question is how vulnerable would that network be from outside attacks? Is there anyway an outside user would be able to utilize source routing or another mechanism to attack an internally NAT'd host? Thanks in advance for your responses. Lee _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT Pseudo Security Lee T. Christie (May 04)
- Re: NAT Pseudo Security Srini (May 04)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- <Possible follow-ups>
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)