Firewall Wizards mailing list archives
RE: NAT Pseudo Security
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 4 May 2004 11:31:34 -0400
-----Original Message----- The way I see it by implementing a SOHO firewall I gain a) Ingress and Egress packet control b) Statefull inspection or proxy inspection c) A potentially hardened OS on the unit d) Logging and Reporting e) Secure management My question is how vulnerable would that network be from outside attacks? Is there anyway an outside user would be able to utilize source routing or another mechanism to attack an internally NAT'd host?
That's all going to depend on the specific product, but I think you're being way too generous with most of the $80 off-the-shelf units you can pick up at the mall. I think you'd be lucky to get "a" with a simple state table and maybe "d". But perhaps you're thinking of something a little bit more serious, like a PIX 501 or a NetScreen 5XP. Anyway, what you're talking about isn't strictly NAT/PAT. You're really talking about a NAT firewall that has a state table, and an allow-all-out/deny-all-in policy. Is it possible that an attacker could source route through the device? Sure, since it probably won't have explicit "bogon" filtering rules. But the state table will make such an attack more complicated, since it should, at a bare minimum, block all SYN packets on the outside interface and only have port translations for internal source ports and addresses that have been used within the last X minutes. We're talking about attacks that really only occur in the realm of the theoretical. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: NAT Pseudo Security, (continued)
- Re: NAT Pseudo Security Srini (May 04)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)