Preventing incoming connections will do a lot to improve your security, but by no means is it a total security solution. An attacker could use a web scripting vulnerability or email trojan to fool your internal machine into establishing a connection with him. There are other ways through, but I'm no security expert. We need to take a multi-layered approach to network security. There's always a way in, we just need to make it so hard that it's not worth the attacker's time.
-----Original Message----- From: Dee Harrod <[EMAIL PROTECTED]> Sent: Tuesday, November 27, 2001 3:14 PM To: SecurityBasics <[EMAIL PROTECTED]> Subject: NAT/PAT (Hide NAT) Vulnerabilities? This strikes me as somewhat of a bonehead question, but it's something that's bothered me for awhile: Let's say I have DSL at home. Let's also say that I have a single public IP address, but my internal LAN uses private addressing. The DSL router performs some sort of NAT or PAT (probably PAT here). All my internal machines can reach the Internet through the DSL router, but when they come out, the source address is changed to the public address. The ports are managed by the router, so that it knows who's talking to whom, and can thus properly direct returning traffic. Since someone from the outside accessing the router itself would be a bad idea, say I'm blocking that. Let's say it's managed by http, and I have a filter rule that prohibits anything but my private network from reaching port 80. Now, for all intents and purposes, how vulnerable is my internal network? You can't start a connection with an internal system because you can't reach its IP address. Even if you did manage to hijack a session, of how much value would it really be? So it seems to me that if you use NAT/PAT, you don't need a real firewall unless you're actually permitting some kind of traffic to connect to something from the outside. Is that right? Dee __________________________________________________ Do You Yahoo!? Yahoo! GeoCities quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1
