Firewall Wizards mailing list archives
RE: NAT Pseudo Security
From: "Sloane, David" <DSloane () vfa com>
Date: Tue, 4 May 2004 12:25:04 -0400
Lee, How secure are your workstations which access the Internet? Do users have limited local-system privileges while accessing the web? Do you restrict potentially risky browser functions (Java? ActiveX? JavaScript?) at the workstation level? At a proxy? Do you have peer-to-peer applications running outbound traffic from your network? Do you have remote-control applications running outbound from your network (VNC, PlaceWare, GoToMyPC)? If your workstations aren't hardened in some fashion, they'll pick up all kinds of junk through "normal" web surfing. If you don't do any egress filtering, curious/creative/malicious/bored/reckless people will take risks with the Internet whether or not they mean to. Even with egress-only access to the Internet, there are plenty of risks to go around. On Windows machines, Internet Explorer and Outlook provide a variety of openings for unsuspecting or reckless users to have their machine taken over, even with all the patches applied. Even if you only allow port 80 out, unless you're managing the traffic or the workstations (or, even better, both) pretty tightly, you'll still get p2p, streaming media, and remote control applications "tunneling" out and bringing back all manner of nastiness. This is why Managed Personal Firewall and Anti-Virus vendors make so much money - the flaws in Windows-based systems and the prevalence of Local-Superuser privileges make bad code very hard to keep out. So, to your question, a real firewall is one of the cheapest measures you can take to secure your network. But it's really just the beginning. -David -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Lee T. Christie Sent: May 04, 2004 10:25 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] NAT Pseudo Security I was wondering what everyone's thoughts were utilizing NAT as your only security mechanism, for protection from the Internet. I realize that NAT was not designed for security purposes. For instance, if network A is connecting to the Internet behind a router performing NAT, no incoming address or port forwarding, what are my risks, from outside hosts? The way I see it by implementing a SOHO firewall I gain a) Ingress and Egress packet control b) Statefull inspection or proxy inspection c) A potentially hardened OS on the unit d) Logging and Reporting e) Secure management My question is how vulnerable would that network be from outside attacks? Is there anyway an outside user would be able to utilize source routing or another mechanism to attack an internally NAT'd host? Thanks in advance for your responses. Lee _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: NAT Pseudo Security, (continued)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)