Date: Wed, 29 Mar 2000 11:48:54 -0800 From: "Brian O'Shea" <boshea@ricochet.net> To: Randy Bush <randy@psg.com> Cc: "Brian O'Shea" <boshea@ricochet.net>, freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329114854.F330@beastie.localdomain> In-Reply-To: <E12aIaA-0001yj-00@roam.psg.com>; from Randy Bush on Wed, Mar 29, 2000 at 11:02:26PM %2B0930 References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <E12a411-0001UE-00@roam.psg.com> <20000328145615.B330@beastie.localdomain> <E12aIaA-0001yj-00@roam.psg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 29, 2000 at 11:02:26PM +0930, Randy Bush wrote: > >>> NAT will effectively protect the boxes on your network. > >> how? firewalls protect. nat merely translates addresses. > > Correct. And since there is no way for machines outside of my local > > network to know what internal addresses are being translated by my > > router, there is no way to address them from outside. > > nats kindly create and generate the mappings for he attacker. Excellent! Now, that's the kind of information I was asking for in my original post. Could you elaborate on the security risks? How would an attacker find out my internal network address (other than by reading this e-mail message), and how would they address an IP packet to one of them from outside of my network? > > > Even if these addresses are known, there is no route to them from the > > internet; > > there are routes to the addresses to which nat translates them. So how would an attacker address one of my internal machines from another machine outside of my network? My network address on the internal net is 10.0.0.0/24 and I have one public IP address (provided by my ISP). I was under the impression that the upstream router would drop all packets destined for one of the RFC1918 networks. > > > they are reserved for use by private networks: > > <http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1918.txt> > > wow! what an exciting rfc! </sarcasm> It wasn't meant to be entertaining! :) I just wanted to provide some background, to differentiate it from other possible NAT configurations. I am fairly new at this, so I am just providing as much information in my questions as possible. > > i am sitting next to three rather reknown security folk at the iesg/iab > breakfast here at the adelaide ieft. quote one whose book you probably read > "NATs per se provide little security. They can, however, be used as one > component of a firewall, which does provide some security." <NotSarcasm> Well, tell him or her thank you for me the next time you have breakfast together! </NotSarcasm> > > randy > -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000329114854.F330>