Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
swb
Community Member

IP PAT security issues using no firewall

Hi,

I have an issue with customers who think themselves save connecting to the internet using DSL and PAT techniques without any firewall.

ISP's keep telling their customers that a PAT device IS or act as a firewall.

It seems a common isssue that people think this way.

Is there is a way to prove them wrong or are they right after all. It seems quit difficult to direct packets to inside addresses without a prior mapping.

Direct connections from the outside to inside host seem therefore difficult because one could never tell where the packets would go when sent to the PAT device using unknown ports. Inspecting outgoing traffic first is not easy to do for everyone or is it.

By the way DSL is evolving and people migrate to it using the cheapest way so they add this DSL/PAT device to their LAN, frequently opening ports up mapped to inside hosts. This has become quite common in the netherlands now.

Does someone know about the real security flaws and the risks? Of course if this point is proved then firewall sales could go up even more.

If you know of another person(s) i should talk to please advice.

Kind regards,

Paul Kroeb

2 REPLIES
Cisco Employee

Re: IP PAT security issues using no firewall

with a port scanner you can easily find out an open port and then execute an attack on it.

However, if your customer only has client behind the pat device and no server, I don't see the need for a firewall.

swb
Community Member

Re: IP PAT security issues using no firewall

Ok let's say you find the port on which the PAT device is expecting an answer from the peer. Will sending a packet to that port will be of any use?I assume the PAT logic will check the remote peer address (the source address in the incoming packet). I it does not match it will probably be denied. And then there is no way of connecting to a specific port let's say 139 for instance, if the client did not initiate a packet from that service of not?

What kind of attacks should be feared of?

All our customers have servers. These servers will always get mail on the internet periodically.

Paul.

107
Views
0
Helpful
2
Replies
CreatePlease to create content