[Dshield] NAT: Secure?

Pablo Morales Pablo at condumex.com
Wed Aug 27 19:07:20 GMT 2003


Port filtering won't really help them because the spy ware can communicate using port 80. Even a "real firewalls" won't be able to this find this sort of problem (unless you use some other software for web traffic control). The firewall is only indented to protect you from network based attacks. Antivirus software should protect you from html/email based attacks due to the changing nature of the threat. In any case there are people that don't mind that someone is monitoring their browsing patterns. And some may even like that they get adds that are customized for them =).

-----Original Message-----
From: Alan Frayer [mailto:afrayer at frayernet.com]
Sent: Wednesday, August 27, 2003 11:06 AM
To: General DShield Discussion List
Subject: RE: [Dshield] NAT: Secure?


But Pablo, let's say someone browses from within their NAT-protected
network to a website that distributes spyware. The request for the web
page goes out through the NAT, and the return data, including the
spyware, comes back through the NAT. Now the spyware starts sending its
garbage through the NAT, and the NAT doesn't know better than to let all
of this happen. A more flexible firewall might be able to catch and
block the traffic. So aren't these NAT-only firewalls missing the mark?

On Wed, 2003-08-27 at 11:34, Pablo Morales wrote:
> If you needed to access the internet without exposing any services to the world. I know of at least one "real firewall" that will use NAT alone to defend your network. A "NAT firewall" is in the firewall to use for networks without open services. Anything above that is an overkill IMHO.
> 
> Pablo
> 
> -----Original Message-----
> From: Keith Bergen [mailto:keith at keithbergen.com]
> Sent: Wednesday, August 27, 2003 9:35 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] NAT: Secure?
> 
> 
> Just to start off, a "NAT Firewall" is not a firewall. It is, 
> however, a fairly good way for people to add some protection 
> to their home network.
> 
> 
> Basically, NAT is designed to allow multiple computers behind 
> a single point to access the Internet etc. The outside world 
> only "sees" the router, so it wouldn't see your valuable data 
> on your home PC.
> 
> When a request for a port comes to the NAT router, let's say 
> port 135, the NAT router either knows to forward it, or 
> doesn't. If you haven't told it how to forward 135, it just 
> goes away.
> 
> Hope this simple explanation from an even simpler individual 
> helps.
> 
> I've logged all the connections that my router has "turned 
> away" since april.
> http://keithbergen.dyndns.org/cgi-bin/rlac.pl
> 
> Keith.
> 
> 
> ---- Original message ----
> >Date: 27 Aug 2003 08:49:49 -0400
> >From: Alan Frayer <afrayer at frayernet.com>  
> >Subject: [Dshield] NAT: Secure?  
> >To: list at dshield.org
> >
> >Please pardon the basic question, but I'm filling holes in my
> >understanding of firewalls, and figure this is a good place 
> to do so.
> >
> >How secure is NAT? One sees advertised dozens of inexpensive 
> broadband
> >routers with simple NAT firewalls (which isn't really a 
> firewall, I
> >know; the firewall is a side effect of the purpose of NAT), 
> and I wonder
> >if the public isn't being taken by depending on these 
> devices.
> >
> >_____________________________________________________________
> ___________
> >Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
> >Seeking an IT Mgmt/Network Admin position in the Tampa Bay 
> Region
> >If you would like to discuss an opportunity with me, please 
> e-mail.
> >
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

________________________________________________________________________
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list