Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

swb
New Member

IP PAT security issues using no firewall

Hi,

I have an issue with customers who think themselves save connecting to the internet using DSL and PAT techniques without any firewall.

ISP's keep telling their customers that a PAT device IS or act as a firewall.

It seems a common isssue that people think this way.

Is there is a way to prove them wrong or are they right after all. It seems quit difficult to direct packets to inside addresses without a prior mapping.

Direct connections from the outside to inside host seem therefore difficult because one could never tell where the packets would go when sent to the PAT device using unknown ports. Inspecting outgoing traffic first is not easy to do for everyone or is it.

By the way DSL is evolving and people migrate to it using the cheapest way so they add this DSL/PAT device to their LAN, frequently opening ports up mapped to inside hosts. This has become quite common in the netherlands now.

Does someone know about the real security flaws and the risks? Of course if this point is proved then firewall sales could go up even more.

If you know of another person(s) i should talk to please advice.

Kind regards,

Paul Kroeb

4 REPLIES
New Member

Re: IP PAT security issues using no firewall

Hi Paul,

You're right about mapping, if there isn't any map, it's impossible to come in. But, the problem isn't there. It's elsewhere :

1- PAT isn't compatible with some applications, ie netmeeting

2- You cannot have Internet server (mail, DNS or Web)hosted at your customer site.

3- You have no security against Trojan, coming from email to internal users

4- You cannot filter email

5- You cannot detect attack, like the PIX's IDS feature

6- Your customer will be vulnerable to any messenging services and there flaws

7- And so on...

Benoit

swb
New Member

Re: IP PAT security issues using no firewall

First: if there IS a PAT (UDP) mapping can we use that one to go in?

Is it true that no mapping means no vulnerability for SURE??

And:

1- PAT isn't compatible...

Oh well... Due to the shortage of IP adresses we use PAT with PIX also.

2- You cannot have Internet...

That's true. But in this case a pix sell easily

3- You have no security against Trojan

4- You cannot filter email

You tell me you can xith PIX? Tell me how to use/activate these features one our PIXes

5- You cannot detect attack...

I am familair with sys log (yuk) what is IDS and how can we use it.

6- Your customer will be vulnerable to any

What do you mean exactly? SMTP protocol filtring the pix does?

This are interesting issues.

Benoit, are you from cisco? ;)

New Member

Re: IP PAT security issues using no firewall

Hi Paul,

No, I'm not from Cisco.

About mapping. Since, there is no mapping from outside to inside, it's absolutely impossible to get in. This is true up to internal user begin to surf. At this time, translations are made and all trafic can come in, in respect to translation build. One vulnerability is that a web server voluntary accessed by an internal user can easily try to hack the user's PC with known vulnerabilities, don't forget translation is done. With a stateful inspection device, like PIX, a web server cannot send anything.

To comment your comments

1- PAT isn't compatible...

Oh well... Due to the shortage of IP adresses we use PAT with PIX also.

Nothing to say

2- You cannot have Internet...

That's true. But in this case a pix sell easily

That's right

3- You have no security against Trojan

As you can see, no firewall means living dangerously

4- You cannot filter email

You tell me you can xith PIX? Tell me how to use/activate these features one our PIXes

PIX cannot do that alone. PIX can redirect trafic to a server who will do that. But PIX can filter Java & ActiveX, it's an on/off filtering not really intelligent. You can also redirect Web trafic to a server, like Websense, for this too.

5- You cannot detect attack...

I am familair with sys log (yuk) what is IDS and how can we use it.

IDS stands for Intrusion Detection System. Cisco has some products with full features IDS for netowrk scanning or host scanning. PIX has a limited subset of IDS. See "IP audit" command :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/gl.htm#36470

6- Your customer will be vulnerable to any

What do you mean exactly? SMTP protocol filtring the pix does?

I'm talking about Microsoft's Instant Messaging, Yahoo Messaging, ICQ and so on. A good defense must block that.

By default, PIX leaves all trafics passed through if initiated from inside, with NAT or PAT. It's not a secure configuration. You must applied some access-list to inside interface and all DMZ interfaces too to secure your network.

A small company can choose to have a NAT/PAT device instead of PIX, and install Personal Firewall to each host. This is a good configuration but has some maintenance issues.

Ben

swb
New Member

Re: IP PAT security issues using no firewall

Hi Ben,

Thanks for your info! About the inside-out protection, could you mention anything in particular? Do you use an all but a few blockage or do you only block services/ports in particular? How would one protect to new/unknown harmfull applications, without having to alter the access-list each time?

Would you have some config to show us here to be used as "good security pratice"?

When going over sample configs and manuals one seldom sees this kind of protection.

Kind regards, Paul.

144
Views
0
Helpful
4
Replies