TWyrickpaulo.com wrote:

>I was following a message thread on the "Slashdot" web-site on Wednesday
>(discussion about the Smoothwall PC firewall product based on Linux), and
>one reader made a comment that surprised me.
>
>He claimed that firewalls using NAT are inherently insecure, because someone
>with enough technical know-how can "trick" it into passing packets back and
>forth bi-directionally, thereby making it "transparent" and letting the
>hacker through to any system behind it.
>
>He then went on to reference a book called "Building Internet Firewalls,
>2nd. Edition", claiming all the info you needed to do this is contained in
>it.
>
>Can anyone confirm/deny the validity of this claim?
>If true, it seems like a software driver could be developed that acts as an
>extra network layer (rather like PPPoE software for Windows works now) which
>would do all of this complex packet modification - and allow any average
>user to tunnel right through NAT firewalls.
>

They are tricks that can occur *after* a connection is established. But
these involves ip theft, or flaws in the NAT implementation not in the
very NAT concept.

Usually the flaws are in connection tracking (needed for FTP, RealAudio,
IRC DCC and the likes) probably because it's the most complex code.

NAT is *not* the solution to all your problems (serious security should
not be based on firewalls only) but the concept is simple and *clean*.

I consider the best firewall filtering technology to be connection
tracking (statefull firewalls). The concept is simple too : the more the
firewall knows on current connections, the less unwanted packets it is
likely to miss and let pass.

NAT+connection tracking is a good combinaison for a wide range of
filtering needs.

LB.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]