I have an issue with customers who think themselves save connecting to the internet using DSL and PAT techniques without any firewall.
ISP's keep telling their customers that a PAT device IS or act as a firewall.
It seems a common isssue that people think this way.
Is there is a way to prove them wrong or are they right after all. It seems quit difficult to direct packets to inside addresses without a prior mapping.
Direct connections from the outside to inside host seem therefore difficult because one could never tell where the packets would go when sent to the PAT device using unknown ports. Inspecting outgoing traffic first is not easy to do for everyone or is it.
By the way DSL is evolving and people migrate to it using the cheapest way so they add this DSL/PAT device to their LAN, frequently opening ports up mapped to inside hosts. This has become quite common in the netherlands now.
Does someone know about the real security flaws and the risks? Of course if this point is proved then firewall sales could go up even more.
If you know of another person(s) i should talk to please advice.
Ok let's say you find the port on which the PAT device is expecting an answer from the peer. Will sending a packet to that port will be of any use?I assume the PAT logic will check the remote peer address (the source address in the incoming packet). I it does not match it will probably be denied. And then there is no way of connecting to a specific port let's say 139 for instance, if the client did not initiate a packet from that service of not?
What kind of attacks should be feared of?
All our customers have servers. These servers will always get mail on the internet periodically.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...