Firewall Wizards mailing list archives
RE: NAT Pseudo Security
From: "Chris Carlson" <chris () compucounts com>
Date: Tue, 4 May 2004 12:41:51 -0400
My question is how vulnerable would that network be from outside
attacks? In my expirence, fairly secure, but it all depends on what you're trying to secure. I wouldn't use it for anything larger than a very small business with a handful of users; a SOHO. To do only NAT, you would be completely neglecting intrusion detection and internal security. You could be compromised either internally or externally and you would never know.
Is there anyway an outside user would be able to utilize source
routing or another mechanism to attack an internally NAT'd host? Yes - A friend of mine used to play around with this all the time; I'm not totally sure how it was done, but I know it didn't take long to get around the NAT router. I'm open to any recources that might describe this in detail (hint hint :) In any case, I would implement some sort of filtering to prevent internal IPs from being used (as source or dest) on the external side. This should eliminate some of the more obvious attacks, but I'm sure there are more that I'm not aware of. Hope this helps - Chris -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Lee T. Christie Sent: Tuesday, May 04, 2004 10:25 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] NAT Pseudo Security I was wondering what everyone's thoughts were utilizing NAT as your only security mechanism, for protection from the Internet. I realize that NAT was not designed for security purposes. For instance, if network A is connecting to the Internet behind a router performing NAT, no incoming address or port forwarding, what are my risks, from outside hosts? The way I see it by implementing a SOHO firewall I gain a) Ingress and Egress packet control b) Statefull inspection or proxy inspection c) A potentially hardened OS on the unit d) Logging and Reporting e) Secure management My question is how vulnerable would that network be from outside attacks? Is there anyway an outside user would be able to utilize source routing or another mechanism to attack an internally NAT'd host? Thanks in advance for your responses. Lee _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: NAT Pseudo Security, (continued)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)