> -----Original Message-----
> From: Kelly, Patrick [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 09, 2001 6:40 AM
> To: '[EMAIL PROTECTED]'
> Subject: Placement of NAT in relation to firewall logs
>
>
>
> I have seen the scenario where clients insist on doing NAT at
> the perimeter
> router. This leads to the configuration of the firewall to
> be configured
> with private IP addresses on 'external' and 'internal'
> interfaces.
That's possibly sub-optimal, but not hideous. It will cause problems if you
want to do IPSec VPN stuff in the future, though.
> The end
> result is no way to log or monitor from the firewall any
> access attempts
> from public ip address sources.
I don't understand why.
> The client insists that this
> is due to the
> fact that no one can get through the NAT of the router.
Sadly, I don't know of any routers that filter inbound packets for the
private IP range that they are protecting. If the attacker can somehow get a
packet for your private network routed as far as your NAT router it will
probably go straight through, unless there are also filters on the
router.[1]
> I
> think all that
> has happened is the masquerading of intrusion attempts from
> the NAT of the
> router. Anyone have any comments regarding the placement of
> the NAT at the
> router on security vs. logging? Any fresh viewpoints would
> be welcome.
There should be no impact on logging or security. I think you will find that
lots of spoofed stuff gets dropped at the router, which may cut down on the
volume of your logs, but all the serious attacks should still get picked up.
> Patrick Kelly
> CMS Information Services, Inc.
[1] We had a thread about this a couple of months ago, in which I said "Any
NAT implementation that is not brain dead should block any packets that are
not addressed to a valid NAT translation". I still believe this, but I had
some Cisco gear on the bench recently and noticed that it met my "brain
dead" criteria. D'oh.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
