[prev in list] [next in list] [prev in thread] [next in thread] 

List:       inet-access
Subject:    RE: NAT alone vs. Firewall
From:       "Brent Wiese" <brently () bjwcs ! com>
Date:       2001-06-28 2:55:43
[Download RAW message or body]

Let them use NAT, but encourage them to get an IDS box, or offer to build
them one using snort or the like.

Shouldn't be hard to convince them that shelling out $5k to watch the wire
for intrusion attempts is a whole lot less than even a few hours downtime
repairing a hacked machine.

You didn't mention if they do any port forwarding or static mappings... both
can be just as dangerous as sitting the box on the public wire.

Offer to build them an access list that logs portscans and such to prove the
point. Remind them if someone does manage to hack a machine on the inside,
then NAT really doesn't offer any protection since they can use something
like netcat to make the internal machine connect to theirs, bypassing the
"safety" of NAT. With the plethora of holes in IIS, its trivial to hack a
webserver behind NAT if port 80 is forwarded, then use netcat to happily
hack away at the rest of the network.

Best sales tatic - tell them to buy a copy of BlackICE and watch it for a
couple weeks. Bound to be something captured.

Cheers,
Brent



> -----Original Message-----
> From: owner-list@inet-access.net [mailto:owner-list@inet-access.net]On
> Behalf Of Shane Hickey
> Sent: Wednesday, June 27, 2001 3:02 PM
> To: list@inet-access.net
> Subject: Re: NAT alone vs. Firewall
>
>
> On Wednesday 27 June 2001 15:49, you spoke thusly:
> > If by NAT, you mean something like the < $100-200 ethernet-ethernet
> > broadband firewall boxes available from dozens of vendors, then...
>
> Hmm.. I should have explained more.  The customer is currently
> using Cisco
> 3600s and using the NAT on the router.  I'm trying to talk them into some
> sort of IOS Firewall, or PIX or other Firewall or at least reflexive
> access-lists.  Basically, I'm looking for whitepapers talking about TCP
> hijacking and other things that NAT alone can't protect you from.
>
> Thanks,
>
> Shane
> -
> Recent archives of the list can be found at:
> http://mix.twistedpair.ca/pipermail/inet-access/
> Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
> Eat sushi frequently.   inet@inet-access.net is the human contact address.
>

-
Recent archives of the list can be found at:
http://mix.twistedpair.ca/pipermail/inet-access/
Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
Eat sushi frequently.   inet@inet-access.net is the human contact address.

[prev in list] [next in list] [prev in thread] [next in thread]