Great Circle Associates Firewalls
(January 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Re[2]: NT NAT
From: Ryan Mooney <ryan @ pcslink . com>
Date: Mon, 6 Jan 1997 10:38:27 -0700 (MST)
To: peter @ baileynm . com (Peter da Silva)
Cc: ckn @ findata . se, firewalls @ GreatCircle . COM
In-reply-to: <9701041543 . AA00908 @ sonic . nmti . com . nmti . com> from "Peter da Silva" at Jan 4, 97 09:43:54 am 
> 
> > Please correct me if I'm wrong here but I was under the impression that
> > the 192.168.x.x-addresses was 'non-routable' or whatever the term is.
> > Under what circumstances can an external intruder gain access to my
> > internal 192.168.x.x-machines? 
> 
> Source routed packets.
> 

Which can and should be turned off in the router/and/or/IP Masq box.
which should also do such obvious things as filter out packets to the
inside addresses claiming to be from the inside... etc... this is basic
stuff that you should do with EVERY firewalled enviroment IMHO.  NAT with
some decent filters is IMNSHO just above straight filters and straight 
through proxies in the security sense.  Really the next level is to have 
a proxy that understands the protocol and can interperet the data stream 
for "bad things" (ie: the fwtk patches to gw-http that can filter based
on tags and disallow active X, Java, etc..).  If you think a stand alone
straight through proxy is more secure than a good filter set on a newer
routre OS, you've been drinking the vendor cool-aid.  Again a proxy that
understands the application data stream can be more secure.

<soapbox>
This goes back to some earlier statements that other people have alluded to,
and that is the case of "Good Enough Security".  If you have a billion dollars
you are trying to protect, you'd better nail things down pretty damn tight.
On the other hand if you are trying to protect a 1K/mo charity you'd scale
things back a bit.  You can't just say "This is THE solution", you have to 
look at the situation, analyze it, and THEN you can say "this is good enough
security, here".  Appropriate solutions for appropriate problems.  I think to
many people here get caught up in finding the 100% secure solution, this may
or may not be practical in all enviroments (both from an economic and 
usability standpoint).  
</soapbox>

That said, NAT can be an important part of an overall security scheme
and may/should be coupled with other security measures including router
filters, and perhaps some appropriate proxies.  It is not THE solution,
nothing is THE solution, they are all pieces and parts that need to be 
use appropriately.

----------------------------------------------------------------------------
Ryan Mooney             Phone (602)265-9188            PCSLink
ryan @
 pcslink .
 com        Fax   (602)265-9357         Internet Services

The world needs more bitter, twisted souls. It would be a much better place.
-----------------------------------------------------------------------------
References:
Indexed By Date Previous: Re: Christopher Klaus and ISS
From: Michael Warfield <mhw @ arden . iss . net>
Next: Re: Christopher Klaus and ISS
From: Andrew Hobson <ahobson @ mindspring . com>
Indexed By Thread Previous: Re: Re[2]: NT NAT
From: peter @ baileynm . com (Peter da Silva)
Next: Re: Re[2]: NT NAT
From: Paul Ferguson <pferguso @ cisco . com>
Google
 
Search Internet Search www.greatcircle.com