[Dshield] [DShield] Architecture approach

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Sat Aug 13 16:24:08 GMT 2005


On Sat, 13 Aug 2005 12:41:09 +0200, =?ISO-8859-1?Q?H=E5kon_Alstadheim?= said:

> knowing the IP of my border router will not help an attacker. The way I 
> see it NAT makes it easier to secure a network, because anything inside 
> that you want to expose has to be EXPLICITLY enabled.

As others have said, that's a function of a firewall, not of a NAT.

And remember - it only adds one layer of security.  If an attacker can
find another way to get something past the firewall, things usually
go downhill very quickly.  It only takes one vulnerable copy(*) of IE or
Outlook behind the firewall to make an outbound connection and pull the
rest of the exploit in.

(*) OK, so a vulnerable Evolution or Pine or Elm or Firefox or Thunderbird
would be equally an issue, except that vulnerable copies of those are much
harder to find.....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050813/c3f99a1b/attachment.bin


More information about the list mailing list