Historians believe that, in Fry 08 Jun 2007, Andrew Suffield said: > The methods used to penetrate a firewall are the same regardless of > whether or not it performs NAT, and so are the effects. Even if a > method existed to defeat the filtering part without defeating the NAT > part, nobody would bother using it (and I'm not aware of any such > method existing).
When I say "bypass", I wasn't being that specific. I was just saying that there are ways to avoid the firewall by using some other path. One way to "bypass" a firewall is using an alternate gateway. In many compromised clients I've been called to help, I've found that the point of penetration was not the main router/firewall, but: - an old dial-up connection (a hidden modem rack that no one knew was still active - and, yes, they are still very common in Brazil) - some "smart" executive that thought it would be nice to avoid the firewall restrictions and substribe to a DSL line connected to his own corporate desktop (another common and sad behavior in brazilian corporations) - "work at home" employees with poorly configured VPNs (the majority of brazilian businesses lack good IT personell because they want to pay peanuts) BUT (as you will say next) all of them were directly connected to the internal nets, so NAT was not a big problem to the invader. The internal nets, in all cases, were also poorly protected, designed and deployed, so were a enjoyable playground to even the less skilled kiddie. So, you're right. In any way (with or without NAT) the atacker would gain access to the whole subnet on those examples. This doesn't mean that NAT is a bad thing. If, for instance, a software failure, bug or operator mistake happens and the firewall rules are shut off, NAT would still be a temporary security layer. ALSO, real IPs cost money. Even with IPv6, they will still cost money - maybe less money, but money indeed. RFC1918 addresses are for free. -- Henrique Cesar Ulbrich [EMAIL PROTECTED] ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
