On 6 Sep 99, at 23:58, K Kent wrote:
> We have our office network which has private IP addresses.
> We do NAT at the router level and have a whole range of access lists for
> security.
>
> I want to know if this is enough for securing our network.
> Or do we need a firewall.
NAT only gives you a false sense of security: hiding your internal
address space to the outside. But your internal network is still
connected directly without using a DMZ for your Mail-, Web- or FTP-
Servers.
You will have more security if your router supports packet filtering
(every router does) and you block any access from the outside to the
inside. Also block packets with source IP addresses from your private
network range.
> Also what are the possible attacks which might happen if we leave it like
> this, compared to when we put up an application level firewall.
>
Blind spoofing attacks, man-in-the-middle-attacks, UDP storms,
fragmentation attacks, ...
This list is long. Have a look at the FAQ...
Good starting points are
http://www.8lgm.org
http://www.enteract.com/~lspitz/pubs.html
http://www.rootshell.org
http://www.waterw.com/~manowar/vendor.html
http://www.cs.purdue.edu/coast/firewalls
and many more on the link pages...
The answer is always a mixture of well-known techniques:
- screening routers or better Firewall boxes with dynamic stateful packet
inspection
- application level gateways for http, ftp, telnet...
- NAT or NAPT on separate boxes (or the Firewall box)
Never trust on one countermeasure alone...
Kind Regards / Mit freundlichen Gruessen,
--
Frank M. Heinzius MMS Communication AG
mailto:[EMAIL PROTECTED] Eiffestrasse 598
http://www.mms.de 20537 Hamburg, Germany
Phone: +49 40 211105-40 Fax: +49 40 210 32 210
-- spam forbidden -- -- PGP key available --
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
