As I understand it, one way would be spoofing. Submit the packets to the NAT
device, but make it think they came from the "protected" network.
Additionally, lets say you open port 80 for NAT. Now lets assume that some
hacker has an exploit they can launch on port 80. With a filtering firewall,
or an application firewall, it can do a better job of examining the packets
and making sure they really are what's expected (HTTP instead of the
exploit). NAT will just hand the exploit of to the machine, compromising
security.
Finally, NAT devices do nothing I am aware of to counter DDoS attacks. Take
the NAT device down, and you have taken the resources down. Firewalls can
better respond to DDoS attacks, allowing legit traffic to continue to be
processed. Also, a DDoS attack could take the NAT device down, allowing
unintentional (hack) traffic through. Most firewalls are designed, if
compromised, to compromise in a shutdown state. IOW, better to allow no
access to the resources, as opposed to unsecured access. NAT devices can't
do this that I am aware of.
At least, these are what I understand as some fundamental differences. :)
HTH
Wes Noonan
[EMAIL PROTECTED]
(281) 208-8993
-----Original Message-----
From: Don Tuer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 12, 2000 14:36
To: '[EMAIL PROTECTED]'
Subject: RE: LinkSys 4-Port Router
Hello:
One question that I've had for some time is why isn't a NAT only
solution sufficient security? I'm running a NAT with no filters on outbound
or inbound connections but using a private IP address (10.x.x.x) on the
inside. Source routing is turned off so how would a hacker exploit my NAT?
Any responses greatly appreciated.
Thanks
Don
-----Original Message-----
From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 12, 2000 2:05 PM
To: David Shackelford
Cc: [EMAIL PROTECTED]
Subject: Re: LinkSys 4-Port Router
I have downloaded the information from Linksys. Thanks for the response. I
realize that this is not a high-end device by any means and that I would
need to spend a great deal more money to obtain a level of protection
available in that price range. I normally do setup filters to prevent
traceroute and UDP and TCP scans and I agree it is how you administer the
device. The device has to have the capability in order to administer it
though. I get outbound web access now using Wingate on my Windows NT box.
For anything mission critical, I would host on a server provided by a web
hosting service with high bandwidth, redundancy and managed services that I
would not have to worry about configuring. A DSL service is not a place to
host any service where these characteristics are required. I think for my
home network this device would be good as long as I supplemented it with a
good software based firewall as you suggest.
Thanks again,
Lance
----- Original Message -----
From: "David Shackelford" <[EMAIL PROTECTED]>
To: "'Lance Ecklesdafer'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, September 12, 2000 1:32 PM
Subject: RE: LinkSys 4-Port Router
> Download the documentation at Linksys. It's congfigured via a
web-interface,
> and is a NAT-supporting packet filter with some (I believe) basic VPN
> support. It also supports PPPOE, which is used by many broadband service
> providers lately. Remember though, you are looking at a device for under
> $200; you can't expect all the features of a $10000 system. As far as your
> traceroute and other questions? Well, it blocks both incoming and outgoing
> as specified by the bloke administering it. Do _you_ set up filters to
> prevent scans and traceroute mappings? This device is good basic security
> for a site that primarily needs outbound web access. It would be silly to
> host something mission critical behind this device without further
> precautions. It would be great, however, for my own private projects, and
> for many SOHO's.
>
> Dave Shackelford
>
> > -----Original Message-----
> > From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 12, 2000 10:05 AM
> > To: [EMAIL PROTECTED]
> > Subject: LinkSys 4-Port Router
> >
> >
> > Hello all,
> >
> > I have been reading about this Linksys product that provides limited
> > firewall functionality and routing for a four-node private
> > network. I am not
> > sure if this product can offer good security for a casual
> > home network. I
> > have not seen a detailed specifications list or documentation for this
> > product. The only thing I know about this product is that it
> > uses NAT which
> > does not make it a firewall. What kind of interface is there
> > for configuring
> > this device? Does this device support VPN connections through
> > a Checkpoint
> > or other IPSEC firewall? I am thinking that you would also
> > need to load
> > software based protection on the internal workstations to
> > provide for a
> > better level of security. How is this product at resisting
> > SYN floods, UDP
> > and TCP scans and traceroute mapping of the internal private
> > network? Does
> > anyone have any feedback here?
> >
> > TIA,
> >
> > Lance
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
