I work with a lot of different vendors firewalls and IMO PAT is a security feature (to a degree). like many other security features its not perfect by itself, but when combined with other features its creates a full firewall.
technically PAT alone would be an aspect of stateful inspection/translation, which is a first generation firewall. as you already stated though, you have no idea whats in the incoming packets above layer 4, so thats the risk. of course if you had a static translation or regular NAT, thats a whole different story. scott ""Doug S"" wrote in message news:[EMAIL PROTECTED] > On my home network, I rely almost exclusively on NAT overload for security. > Even though I know it's not a security measure, I've yet to hear anyone with > a good explanation of why it's not enough, at least for a home network. I > know there's a bunch of really bright people here, so if anyone would point > out the flaws in my reasoning, I'd love to hear it. > > Below are some exerpts from an email converstation with a friend that > explain how I think about it: > > --------------------------------------------------------------- > > I mostly rely on NAT overload for security. The only traffic that will be > allowed in is traffic for which a translation has been created. Since these > translations are only created by outbound traffic, no one from the outside > can initiate a connection unless they bypass NAT by using the actual private > ip addresses configured on the workstation. To do that, they'de have to > have no routers between them and my router (meaning my ATT segment only) as > any other router would drop packets for these addresses. To protect against > that, I deny traffic for the ip's configured behind the router. > > access-list 151 deny any 192.168.0.0 0.0.0.255 > access-list 151 permit any any > (this whole acl could just as well be: > access-list 165 permit any host (outside int IP address) > > access-list 50 permit 192.168.0.0 0.0.0.255 > > Int e0 > ip address 192.168.0.1 255.255.255.0 > ip nat inside > > Int e1 > ip address dhcp > ip nat outside > ip access-group 51 in > > ip nat inside source list 50 int e1 overload > > ---------------------------------------------------------------- > > Even though NAT isn't a security feature, I think overload works pretty well > for security because no traffic will be allowed in unless an inside host has > created a NAT entry by originating the flow. All legitimate flows on a home > network are going to be created by CLIENT processes running on the machine, > so what do I care if someone tries to connect to that port. What I mean is: > > 1) I go to surf the web at 200.200.200.200, my workstation uses tcp port > 1456 to connect to tcp port 80 > > 2a) tcp port 1456 is taking in traffic only for web browser, which is a > client application that's only going to display what's sent back to my > browser. > > 2b) as this traffic passes through the router a NAT entry is created: > INSIDE LOCAL INSIDE GLOBAL OUSIDE GLOBAL > 192.168.0.100:1456 12.228.99.129:1456 200.200.200.200:80 > > 3) A 'hole' has been created that now allows traffic to my workstation. > > 4) A really good hacker wants to exploit this hole. To do this, s/he's > going to have to do a few tricky things: > > First, since this translation is only going allow traffic only from > 200.200.200.200:80 to be sent to 192.168.0.100:1456, s/he's going to have to > figure out how to spoof that address/port pair AND get the return traffic > back to his machine (if he wants any return traffic there might be) > > Second, since it's only my web browser, and not some service that's running > on port 1456, the only traffic that could possibly even be interpreted on > that port would be html. And since that port is maintaining the tcp stream > info from the original connection (seq #'s ack's) s/he's going to have to > accurately spoof that too. If all this is sucessful, I guess there is > malicious html code that s/he could run, but wouldn't it have been easier > for the hacker just to put it up on a website and let me click on it myself? > > To me it seems like NAT overload on home computers meets the security idea > of making it more difficult than what it's worth for the hacker. There is > no way I would ever rely on this on a production network with services > available, themselves initiating connections. I'd really like to hear a > security expert's views about these ideas, but so far, no one I've talked to > has explained to me a way that a hacker could get past NAT overload. > > The only two ways I can think of are > 1)bypass NAT by using the actual configured ip's of the workstations inside > > 2)Get you to install software on you're machine that will both create a nat > translation to the outside and let them connect back through that > translation to a SERVICE that's listening on that port. If they are able to > do that, even CBAC isn't going to stop them anyhow. > > Access lists trying to protect home workstations that are being NAT'ed seem > for the most part redundant to me. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66095&t=66015 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]