home network behind NAT and firewall ?

That is what I was saying.

O.K. Well, maybe we should better stop as I think we both understand what it's all about. In my argument I seperated between NAT, routers and firewalls. NAT does not keep traffic inside the network, it is the router running. Any router does. Even a normal switch should do that nowadays as it only forwards the traffics to the intendend ports. A firewall or better a packet filter in your up-link does the filtering if you want to be sure. NAT deals with a completely different aspect.

Anyway, I agree with you that in general a NAT device is extremely helpful for the fully ignorant user.

My problem with your arguments is that you never properly define what you mean with. NAT, router, firewall, packet-filters are different concepts. You seem to imply a certain set of functionality that you see in devices you use. NAT does not have anything to packet filters. But I suppose most available Linksys, Netgear, etc. consumer network routers do have packet filters and NAT.

Again, it is not silly. You consider someone you is ignorant and won't get anything right. If you use a proper firewall and set it up properly it does the full job and more and 100% reliable and secure instead of maybe even 99% secure. You find this setup in many companies and universities and it works perfectly fine.

I challenge you: none of these compromises would have been avoided with NAT. If the compromise was related to a misconfiguration in the firewall than this would have happened as well on a NAT router. If the company wanted to make a service available and opened an incoming port, they would have done it on a NAT router, too. Their compromise is never the reason of their computer having a public or private IP address. The traffic was intended to come in, with firewall or NAT router. Unintended traffic won't come in with a firewall. It can - maybe only under statistically circumstances - come in with a NAT router.

I can show you firewall logs with exactly the same contents. Where is the difference? (BTW, my Linksys does not log it...)

Yes, they use private address schemes for places that they want completely seperated from the rest of the network. Traffic of these networks won't leave the network. That's impossible then. If you need connectivity outside you use fully filtering proxies for specific purposes.

If you put in your NAT device you open the door to the outside. The reason why most companies use private addresses is because public addresses are expensive. They buy the number of addresses they need and not a complete class A network to give all there devices an IP address.

Either way, all computers in your network have IP addresses and can communicate with the outside and in-coming communication is only allowed where you configure it.

Maybe we are talking about different things. But to me it seems as if you are comparing a private network behind a NAT router with a directly connected network without router/firewall in between. I never did this comparison.

All public servers of all companies are generally in public IP space. They are, however, behind a firewall that is configured only to let traffic for these servers in.

Put in a firewall. For the time being, use the built-in software firewall.

Gerald

Reply to
Gerald Vogt
Loading thread data ...

You do not define the terms, i.e. the concepts, but you give examples and explain what those examples do. I think here lies our misunderstanding. You explain all real things that I know very well for years. For example you define NAT basically as Linksys or other "simple NAT router". Apart from the fact that even those "simple NAT routers" have huge differences in functionalities they provide, the concept of NAT is not defined by some products available that my use it. The same way you mix the concept of a firewall with NAT and proxies services as they may appear together in real devices.

If you do not understand the concepts and are able to differentiate and in particular see the various concepts seperated from each other, you are not able to fully grasp the meaning of it because you only consider for example a Linksys BEF as a NAT router when it is actually a combination of various concepts.

A proper security design (which certainly requires several step before you sit down and think about the security concepts you want to apply) when you apply these concepts properly to your scenario you achieve the best possible security. For example, to seperate two networks and allow only specific traffic in between you require a packet filter. Your example "NAT device" does packet filtering, too. In drops in-coming packets if it does not know what to do with it. If it finds a use it forwards the packet. The important thing is to understand the concepts.

The step after that is to do the implementation of your security design by looking for suitable solutions that provide the necessary means to do what you want it to do.

Even if it often seems simpler just to say "like a Linksys", in particular in the "NAT router" area the collection of many different concepts in a single device plus a marketing department that just uses terms as they sell not whether they actually apply, often result in big confusion. And I think that is very unfortunate but there is little you can do about it. But as someone who designs security systems you have to know and differate between concept and actual devices. If you only think about some 10 different devices and how to plug them together to make your system secure, then your design is flawed from the very beginning.

So, to come back to the issue of private vs. public IP addresses. Neither one is more or less secure per se. In both cases you apply packet filters that filter traffic between "inside" and "outside". Private IPs require additional mapping of connections between internal and external IPs. The only time it makes a difference is when you don't put in a NAT for your private IPs but a normal router at the edge of your network which just drops private IP traffic. But in that case your computers with private IPs cannot access anything outside your network because of their un-routable private IPs. But we were not considering this case...

Gerald

Reply to
Gerald Vogt

Sure you do, you run the risk of having something improperly configured and fully exposing your network. I joined a company years ago, they were an engineering firm, they kept loosing jobs to other firms. Their network was based on Windows 2000 workstations and Novel servers. All machines had a public IP and they figured since everything was based on Novel that they were safe - WRONG. As it turns out, many people would copy files from the servers to their local workstations and then use them locally. Since everyone had to use a common password it didn't take long before the competition and other people were able to find the exposed computers on the internet, download the files from the workstations, and do with them what they wanted. It took me months to make them understand that their methods were flawed, they just didn't want to believe that they were wrong.

I have never seen a mapping problem with NAT devices, in fact, since we do NAT for all of our clients networks I can honestly say that it works beautifully.

The weakness is in assuming that having a packet filter always properly configured. When I setup a company with a private address space behind 12 PUBLIC IP's, they only map the first 11 IP's to public servers if needed, and then it's not all ports, just the specific ports that are necessary - in many cases it only takes 2 or 3 IP to setup mail, ftp, web, demo space, and VPN. I would rather only map a few ports from a few IP to public servers than to create rules to filter 200 public IP to 200 internal computers based on what those systems need.

You are right, IPv6 is suppose to eliminate needing NAT and private address spaces, but I don't really think it will happen. I can't see any reason to expose every network device to the public IP system, it's just not going to be secure by default.

I agree, most home users have 1 IP and most only have 1 computer, in a case of 1:1 they still should be using a NAT device to block unsolicited inbound because they don't have any other valid means to get the system online and protected (in general, for the common home user).

Businesses are in the same boat, even if they can get 1000 IP, there is no valid reason to assign a public IP to each internal machine. Sure, it's done at some educational institutions, I even know one Edu Hospital where EVERY computer has a public IP, but that doesn't make them secure by default - just once screw-up and it's fully exposed. At least with a NAT solution and private addresses in your basic setup it would mean that nothing inbound would work. As an example, my Firebox II or III units, when I set them up before I create the service mappings, they have X public IP and the LAN port has at least one private subnet (we usually run several subnets). When I add an SMTP rule there is no default way for a public IP to map to the internal (private) smtp server, I specifically have to add a NAT mapping for it to work. If I were using drop-in mode (no NAT) it would have worked by default. The difference is that a misconfigured firewall, or an unfinished configuration, will not expose internal services until it's properly setup.

I hope the above makes sense.

Reply to
Leythos

There is no reason not to either. Just by having an IP address you do not "expose" anything vulnerable to the internet. I know you doubt that but tell me something where the kind of IP address actually makes a difference. You have a packet filter in between. Not more or less will get through whether you use NAT or not. As mentioned before I see certain potential for weaknesses in NAT due to the mapping required for it which never can be completely 100% correct and secure.

In addition, it still seems to me as if many people envision the future of the internet in a way that basically anything and any electrical applicance gets an IP address so that you can check your stove and turn on the washer. IPv6 does have the address range to do that.

I never said anything against that. Most home users have 1 IP address and need NAT. I also think home users should not offer services/servers to the internet unless they really understand what they are doing. Businesses need proper firewalls and administrators who know something about security.

Gerald

Reply to
Gerald Vogt

You are comparing completely different things. Having a public IP address does not mean that you do not have a firewall in place that you have to configure properly. A NAT would not help here either because this, too, you have to configure properly. If you don't put in a firewall, it is your own fault. But we were not talking about that.

That is the problem: you don't notice when it is not working. Maybe you click on a web page and your answer is not coming. You press reload and it opens a new connection and it works fine. The problem is not obvious. If it works 99% of the time you will hardly notice the 1% in particular in interaction with the internet where things often do not work properly. There is the potential...

That is correct for NAT routers and firewall routers.

Sorry. But what is so hard about a rule "DENY ALL" and then configure specific "ALLOW"s? You do exactly the same with private or public IP addresses. You configure which ports you actually want let through. You don't configure 200 rules, you configure _exactly_ the same except you do not have to provide the explicit mapping of the incoming connection to servers because that is obviously not required. There is absolutely no difference here. It seems as if you never actually configured a firewall if you think that for 200 public IPs you have to write rules for each and everyone. You can do that if you like specific rules for what computer may do in out-bound direction but even then you create proper classes and assign computers to classes. In the in-bound direction you have the same: if you want a mail server accessible you have to open the port. On NAT you have to tell the private IP address of the server. With a public IP address you open the smtp port on the IP address of the mail server.

This is always the problem. Misconfiguration is no different with NAT or without. If people put in a DMZ in your NAT to play internet games, it is misconfiguration exposing the whole machine. Even worse, if your router does not assign fixed IP addresses but always uses DHCP (like my linksys) it may even be if you turn off your computer in the evening and in the morning your wife turns on here she may end up on the DMZ IP address... There are always tons of possible misconfigurations. It is useless to argue about where could be worse misconfigurations. This would require proper research about classes of misconfigurations and their impacts, etc.

But for normal proper configuration there is no difference: you block everything in-bound and then allow specific ports/port-forwardings.

Gerald

Reply to
Gerald Vogt

Software firewalls cause more problems for internal LAN traffic than its worth. Dig up an old PC, stick two NICs in it, install any variety of Linux-based firewalls (IPCOP, ClarkConnect, etc.), and be done about it. Or you can go out and buy a cheapo Netgear or Linksys firewall for about $100. Oh, and disable NAT in the cable modem, because now you will have a real firewall doing just that.

Reply to
ellis

If you are behind a firewall already, you can disable the XP firewall. If you want the redundancy, which is not a bad option and is definately more secure, you can read the Microsoft White Paper on ports to allow open. This can be done with a GPO in a domain scenario. This article will tell you all relevent ports to allow:

formatting link

Reply to
TechnoPimp

OH, if you have NO firewall, disregard all this. As soon as you read this, step away from the keyboard, go to Best Buy and pick up some sort of NAT device like a linksys, netgear, or dlink... You can't open any ports if you are depending on the software firewall to protect your machine. On a cable network especially, that's PC suicide!

Reply to
TechnoPimp

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.