RE: NAT Pseudo Security

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> The way I see it by implementing a SOHO firewall I gain a) 
> Ingress and Egress packet control b) Statefull inspection or 
> proxy inspection c) A potentially hardened OS on the unit d) 
> Logging and Reporting e) Secure management
>
> My question is how vulnerable would that network be from 
> outside attacks?  Is there anyway an outside user would be 
> able to utilize source routing or another mechanism to attack 
> an internally NAT'd host?

That's all going to depend on the specific product, but I think you're
being way too generous with most of the $80 off-the-shelf units you can
pick up at the mall.  I think you'd be lucky to get "a" with a simple
state table and maybe "d".  But perhaps you're thinking of something a
little bit more serious, like a PIX 501 or a NetScreen 5XP.

Anyway, what you're talking about isn't strictly NAT/PAT.  You're really
talking about a NAT firewall that has a state table, and an
allow-all-out/deny-all-in policy.  Is it possible that an attacker could
source route through the device?  Sure, since it probably won't have
explicit "bogon" filtering rules.  But the state table will make such an
attack more complicated, since it should, at a bare minimum, block all
SYN packets on the outside interface and only have port translations for
internal source ports and addresses that have been used within the last
X minutes.  We're talking about attacks that really only occur in the
realm of the theoretical.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards