I have an issue with customers who think themselves save connecting to the internet using DSL and PAT techniques without any firewall.
ISP's keep telling their customers that a PAT device IS or act as a firewall.
It seems a common isssue that people think this way.
Is there is a way to prove them wrong or are they right after all. It seems quit difficult to direct packets to inside addresses without a prior mapping.
Direct connections from the outside to inside host seem therefore difficult because one could never tell where the packets would go when sent to the PAT device using unknown ports. Inspecting outgoing traffic first is not easy to do for everyone or is it.
By the way DSL is evolving and people migrate to it using the cheapest way so they add this DSL/PAT device to their LAN, frequently opening ports up mapped to inside hosts. This has become quite common in the netherlands now.
Does someone know about the real security flaws and the risks? Of course if this point is proved then firewall sales could go up even more.
If you know of another person(s) i should talk to please advice.
About mapping. Since, there is no mapping from outside to inside, it's absolutely impossible to get in. This is true up to internal user begin to surf. At this time, translations are made and all trafic can come in, in respect to translation build. One vulnerability is that a web server voluntary accessed by an internal user can easily try to hack the user's PC with known vulnerabilities, don't forget translation is done. With a stateful inspection device, like PIX, a web server cannot send anything.
To comment your comments
1- PAT isn't compatible...
Oh well... Due to the shortage of IP adresses we use PAT with PIX also.
Nothing to say
2- You cannot have Internet...
That's true. But in this case a pix sell easily
3- You have no security against Trojan
As you can see, no firewall means living dangerously
4- You cannot filter email
You tell me you can xith PIX? Tell me how to use/activate these features one our PIXes
PIX cannot do that alone. PIX can redirect trafic to a server who will do that. But PIX can filter Java & ActiveX, it's an on/off filtering not really intelligent. You can also redirect Web trafic to a server, like Websense, for this too.
5- You cannot detect attack...
I am familair with sys log (yuk) what is IDS and how can we use it.
IDS stands for Intrusion Detection System. Cisco has some products with full features IDS for netowrk scanning or host scanning. PIX has a limited subset of IDS. See "IP audit" command :
What do you mean exactly? SMTP protocol filtring the pix does?
I'm talking about Microsoft's Instant Messaging, Yahoo Messaging, ICQ and so on. A good defense must block that.
By default, PIX leaves all trafics passed through if initiated from inside, with NAT or PAT. It's not a secure configuration. You must applied some access-list to inside interface and all DMZ interfaces too to secure your network.
A small company can choose to have a NAT/PAT device instead of PIX, and install Personal Firewall to each host. This is a good configuration but has some maintenance issues.
Thanks for your info! About the inside-out protection, could you mention anything in particular? Do you use an all but a few blockage or do you only block services/ports in particular? How would one protect to new/unknown harmfull applications, without having to alter the access-list each time?
Would you have some config to show us here to be used as "good security pratice"?
When going over sample configs and manuals one seldom sees this kind of protection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...