Nat - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Nat

  1. #11
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    For a home user something like the Linksys BEFSR41 in it's default configuration is ample sufficient protection from malicious ingress for a low cost and a simple installation.
    Yep, and to go a step farther, this particular device has a configuration screen where it will interoperate with Zone Alarm or BlackIce. I use this model along with one of the previous personal firewalls. Top that with the logviewer proggie that Linksys provides from their FTP site and you have a nice little setup for a home network.

    One interesting thing about this model is that a few firmware revs back, it had a stateful packet inspection option that mysteriously vanished at around the same time a newer model of the router came out. Hmmmm. LOL

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #12
    Junior Member
    Join Date
    Apr 2003
    Posts
    18
    I expect the Linksys line to undergo some changes as they are now owned by Cisco.
    http://newsroom.cisco.com/dlls/hd_032003.html Most SOHO firewalls do considerably more than just NAT, most have packet filtering ability and some limited statefull inspection. As has been said more than once in this thread for home use where you are doing nothing more than protecting your connection to the Internet most SOHO firewall/routers will work. I wouldn't put up my own web or mail server behind one without getting a real statefull firewall. Oh and never forget up-to-date virus protection.

  3. #13
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    A NAT box will certainly provide security provided:

    1. You do not open (forward) any ports on the NAT box
    2. The NAT box itself does not offer any services on its public interface
    3. There aren't any bugs in the implementation of the NAT box itself (never assume this!). Keep it up to date.

    However, it won't protect you against:

    - Any content-based attacks (mal-ware, viruses)
    - Trojans on machines inside the NAT. They can establish connections with attackers on the outside by using an internally initiated connection
    - Attackers inside the NAT'd network

    For that, you need to have a virus scanner and safe computing practice.

    A *correctly* configured NAT box, with virus scanners and safe computing practice makes for a formidable defence, however, any two on their own would not be sufficient.

  4. #14
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    My other buddy who is a net admin himself was telling me it was secure enough that you dont need to even run a firewall?
    Ja, he coud be right. My first impression was that he was FOS, but you didn't post the model. It might be a secure one. I am liking that LinkSys model everyone is talking about. I have a NAT, PAT actually, that is pretty secure. But wouldn't you feel better with a Linux box in there as well?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #15
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Slarty perfectly explains the reasonning behind my answer...


    Invictus, please explain why you say that PAT provides more protection than NAT?! They don't even have the same functionnality...

    Also, keep in mind that statefull inspection (of packets) isn't a magic thing: all it does is keep track of established connection states. The advantage is that it makes it harder to "slip in" odd or invalid packets that don't belong to an establised connection. However, if you are doing NAT, you are in fact already keeping states on outgoing connections with the translation table. So incoming packets that do not belong to an established connection will be blocked/dropped just as they would with a statefull firewall. (For example, OpenBSD's fireall, (pf), uses the same "table" (a BTree I believe, actually) to keep states AND for NAT.)
    So assuming you don't expect incoming (legit) connections and don't need complex outgoing filtering, NAT and SPF do basically the same thing...


    But wouldn't you feel better with a Linux box in there as well?
    No: Assuming the user is a newbie to networking, security and computing in general (an appropriate assumption I'd say when you're asked a question like this), I would advise against having him/her setup a *nix firewall. Linux boxes comes with TONES of services enabled, needs considerable efforts (to newbies at least) to secure and then to learn iptables/ipchains and set it up. And then in the end, even a default block in, nat out all provides little more security than does a default install (meaning pretty much plug and play) of home router...


    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #16
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    ammo,

    first let me qualify my previous response by stating that I was referring to NAT as a 1-to-1 static translation and PAT as a many-to-1 translation.

    to answer your question, NAT itself does not keep connection info in a state table as you stated. A static NAT simply translates an RFC 1918 IP address to a public IP address so it is routeable across the internet. This also means that a 1-to-1 translation could work in reverse. So a host on the Internet could send data to a private host by using the NATed address instead of the private IP. Even if there is no connection established.

    When doing a static 1-to-1 NAT NO level of security is provided unless there is also a firewall in place.

    refer to the following link:
    http://computer.howstuffworks.com/nat3.htm

    "In specific circumstances, Static NAT, also called inbound mapping, allows external devices to initiate connections to computers on the stub domain. For instance, if you wish to go from an inside global address to a specific inside local address that is assigned to your Web server, Static NAT would enable the connection."

  7. #17
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Ok, granted, if you refere only to static nat (in openbsd's pf they call in "binat") you are indeed exposing the whole host... This feature is called the "dmz" or "mapping" in many home routers.
    In this way, I'd agree that PAT is better than NAT, but only if referring to inbound packet "redirection".

    However, NAT, the usual "dynamic" "internet sharing" (one-way) NAT (which we were talking about), DOES use a translation (state) table. It HAS to, since it must know to which established outgoing connection an incoming packet belongs to (if any).


    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #18
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    LOL Ammo,

    My big grin after the firewall comment was meant to induce humor and at the very least, perhaps get him to ask the question...."hmm what is linux, should I try it?" If someone is concerned enough and knowlegable enough to wonder about NAT and it's level of protection and sophistication, perhaps Linux would also peak an interest. I do have to admit though, setting up Red Hat 9 in a firewall configuration is much easier these days. You just click the "HIGH" or "Medium" setting and a couple of Radial Buttons for protocols you want to allow on either the inside and outside interface and it starts blocking all inbound connections or outbound connections. Sure it gets much more complicated, but that's not a bad firewall to start out with.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #19
    Junior Member
    Join Date
    Jun 2003
    Posts
    1
    You should get a firewall if you habe a NAT router. IT'S NOT SECURE TO OPERATE WITHOUT THE FIREWALL...

  10. #20
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    Uninstalled, did you even bother to read the rest of this thread? Or did you just jump right in with that mindless comment because you've read that firewalls are a good idea?

    As several others said before, NAT provides adequate protection for most home users. Sure, we all know that defense in depth is a good idea when you're serious about security, but a large portion of the internet wouldn't have the slightest clue what to do with a firewall. For those people, basic NAT is usually enough to protect them from the big bad internet.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides