Firewall Wizards mailing list archives
Re: NAT Pseudo Security
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 5 May 2004 12:19:25 -0400 (EDT)
one of the main tenents of security is the approach of layering in security, not relying upon just one application/package/approach, as security is a wedge or afterthought addon, it was not and remains not something built into tcp/ip. Thus, relying upon one method or layer of 'protection' might not fully protect the assets at risk. NAT iis but one method or layer, and should be reinforced with additional measures to protect the assets being guarded. Also, NAT alone will not protect your neighbors should your systems get trojaned or hit with the latest flurry of nasty-mail viruses floating about. Thanks, Ron DuFresne On Tue, 4 May 2004 salgak () speakeasy net wrote:
-----Original Message----- From: Lee T. Christie [mailto:Lee.Christie () mosaicinfo org] Sent: Tuesday, May 4, 2004 02:25 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] NAT Pseudo Security I was wondering what everyone's thoughts were utilizing NAT as your only security mechanism, for protection from the Internet. I realize that NAT was not designed for security purposes. For instance, if network A is connecting to the Internet behind a router performing NAT, no incoming address or port forwarding, what are my risks, from outside hosts? The way I see it by implementing a SOHO firewall I gain a) Ingress and Egress packet control b) Statefull inspection or proxy inspection c) A potentially hardened OS on the unit d) Logging and Reporting e) Secure managementIn my year at a dot-com, I came in to find NAT was being used as a firewall. I fixed THAT shortly after I took over as admin. I also replaced Symantec with SOPHOS, as our subscription was ending and at the time, an auto-update function of Symantec corporate had the nasty habit of crashing our domain controller. . . . ANY firewall is better than NO firewall, period. . . _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT Pseudo Security Lee T. Christie (May 04)
- Re: NAT Pseudo Security Srini (May 04)
- Re: NAT Pseudo Security Mikael Olsson (May 04)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Ben Nagy (May 05)
- <Possible follow-ups>
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)