NAT is not a mechanism for securing a network.. but.. HELP!

When I took over the department the first thing I did was start looking at security - they had a no-policy policy in place before I joined. The idea was that anyone could access anything on the Net at any time.

They had suspected they had productivity problems, had problems with viruses and compromised machines, had issues with groups of people emailing jokes and explicit pictures back and forth, etc... You know, a generally uncontrolled environment with immature people.

When I got there I installed a new firewall in drop-in mode so that no one was any wiser, monitoring all traffic and seeing exactly how bad the issue was.

After 30 days we implemented a new security model and put an end to all of the BS and playing. Funny thing was that the worst abusers were also the lest productive in all areas. Once we took away access to sites that didn't meet our business needs, productivity increase almost 130% that first month....

It's amazing what people will do when they think they are owed access and when they think no-one is watching.

Actually, it's on-topic as NAT and what people do at work are often related directly to security.

People implementing a NAT only solution, without a real firewall, are not secure - as many people have pointed out tunneling and such.

A firewall using NAT does not necessarily permit tunneling once you setup the firewall to protect properly.

Funny, using soap wont allow you to use your workstation to tunnel to the SMTP server and then have the SMTP server tunnel outside for you, and then bring the traffic back in to you. Since the IP of the specific SMTP server is all that's permitted outbound and since the firewall blocks anything that isn't a proper SMTP message type......

Please provide a link that shows how a generic user at a workstation in the LAN will be able to tunnel through a SMTP server that they don't have permission/access to configure where the outbound from that specific IP of the server is the only outbound SMTP permitted in the firewall.

And most firewalls allow you to block by "category" which means as long as the web site for the company is properly setup with its proper meta tags for content type, it would be approved, where other sites, without the meta tags could be rejected. Any fortune 500 company should have properly configured meta tags for their web site.

Come on, you're really reaching on this one - you've still not shown any reason for "unrestricted and unlimited access to the Internet for all employees".

I have encountered a NAT device which does not block inbound packets. The Siemens SpeedStream 4100 ADSL modem I just connected to my LAN.

I'll try if I can, but the only outside network I have access to right now is my ISPs and I think they do ingress/egress filtering so I may not be able to. However you and a couple other people have said this is true and it sounds reasonable to me... I was not aware that this was the case.

"NAT-specific"?

I always thought a firewall was anything that enforced a security poilicy between two networks. So the issue is what security policy is appropriate, and what hardware/software most reliably and cost effectively implements that policy, not the name a vendor decided to give a box. I have always been a little annoyed the the term "real firewall" for that reason.

Interesting, thanks!

Yea, DSL modems from ISP's are a mix of anything goes. I installed a SBC DSL modem for a client that provided a single private IP via DHCP and all public traffic was routed inbound to that IP.

NAT is still a good option, but not when everything is forwarded inbound to the LAN side. DSL Modems are not what any of us talk about, generally, when we talk about NAT and routers, we generally mean the D- Link, Netgear, Linksys....

You've just documented the best reason why you should have your own appliance after the ISP's hardware.

"Stuart McGraw" wrote in news: snipped-for-privacy@corp.supernews.com:

I never said it was. It was just my experience with the situation.

I don't know what Linksys is using why not ask Linksys/Cisco about it. All I know is that the Linksys router I was using at the time, a simple NAT router device with no fire walling software and using limited NAT, couldn't pass one of the ping tests and the machines behind the NAT router with no fire walling software to speak of responded to one of the tests when it should not have done so. So I configured BlackIce on the machine so that the machines would not respond. You want to put something else into what I said that's on you.....

Until it's proven otherwise, I am going to go with it based on what I know and have been taught by others in this NG.

All that's saying is that I know that you're there. What else are you trying to make out of it?

It's acceptable to me because the cost is the cost no matter how one looks at it. The cost may be more in some cases and less in other cases. However one looks at it, it is a debit on the books.

I think that this is much to do about *nothing*. That fact remains that the NAT router or any device or software that provides remote administration has the possibility of being exploited if not protected properly those are the facts. So what that they threw it in it's not a big deal to me.

I suggest that you continue to search for the answers. WG is not the only vendor out there providing information about FW(s) and Google is not the only search engine. You can try Dogpile.com which is supposed to be for the more technical minded I hear. May I also suggest that you start searching for hacking tools or information too?

Good luck in your quest

Duane :)

I never heard of any time accounting application that was WEB based that was used over the Internet. Companies generally have such Web based applications/solutions as a secured Intranet application NOT an Internet application, which are behind the company's FW. So of course, company employees are going to have access through a browser to such an application as a company Intranet business solution. If the company had that setup any other way, that was a very questionable setup to say the least about it. And if some employee needed to access that Web based solution outside of the company's Intranet domain over the Internet, they would need or be given a VPN solution and allowed access to the WEB based company Intranet business solution.

Duane :)

Weren't you talking about setting up simple NAT routers to block outbound traffic (i.e. Filtered Private Port range on Linksys) as well?

I disagree, but only because of semantics. Firewall or Firewalling is also a concept and a process.

At my last full-time admin job, I used to keep QuoteTracker running all day long. I was rarely actually trading though. Just keeping tabs on my alerts.

But that's okay, because I was the network admin. It's good to be the king.

I put an end to one guy doing that by stopping by his office unannounced and asking him if Kathy responded yet and told him what "r****ng" is.

I really hate the idea of getting people in trouble, unless I don't care for them personally. A simple whispered heads-up can often do the trick.

Why people fail to change the admin password on their routers is beyond me.

And they face legal problems if they don't address the issue with some standards. I've seen quite a few companies who actually put wording in their internet use policies to the effect that "a little" personal use is tolerable.

That will be a real pain for them if they ever end up in court. If someone is fired for personal use of the internet and they can show that the company knows other employees engage in personal use, the company is going to have a problem.

Threads drift... Besides, the necessity of prohibiting unrestricted access to the net is a security issue.

CyberDroog wrote in news: snipped-for-privacy@news.easynews.com:

That's because it's not in the manual when they setup/configured the device that it could be a possible exploit. That information has to be sought out and implemented.

Duane :)

You seem to be a little trapped in all or nothing thinking about this. But if you like...

Your system is absolutely insecure. I can break into your house and literally take your whole PC. Why don't you get a *real* firewall? ;)

Basically you don't have a clue - if you followed what I wrote, the exploit doesn't come from OUTSIDE the router, it happens due to a user INSIDE the firewall running script code on HIS computer INSIDE the network (behind the router) that the User Chooses To Run, and then it hacks the router from inside the network - So, just like anything you download from the web, once you run it, it's local and has all your permissions - even to access the router if you've not changed the default password.

I can't believe you know so little about exploits Floyd, but I expect if you get out of Mayberry you will learn a little.

That's so much BS. Any company that requires local employees to access the public internet to file a time-sheet is doing it completely wrong. There is no reason that anyone in AT&T would have to leave the AT&T network to access company resources.

Even if they hosted the time-sheet system at MCI, they could easily setup a white-list for the server AT&T needs.

So, again, you've not shown any reason for it to be open.... Keep trying.