[CLUE-Tech] How good is NAT security?
Mark Cuny
clue at stardyne.org
Fri Aug 10 13:34:13 MDT 2001
On Fri, 10 Aug 2001, David Anselmi wrote:
> When I got DSL, I was worried that having my computer on line whenever
> it was on made me extra vulnerable to Internet attacks.
>
> It seems though, that since my DSL modem is doing NAT, and I'm not
> forwarding any ports from outside to inside, that I should be pretty
> secure - even without a firewall.
>
> The only thing visible from the outside, seems to me, should be the
> modem itself (which I've set up a filter to block traffic from the wan0
> interface), and maybe some ports that I've gone out on and are in the
> NAT table.
>
> So I feel pretty good about not running a firewall (at least until I
> want to open up port forwarding to allow access to a server).
>
> Am I really naive, or is this pretty close? I don't dispute that an
> extra layer would be nice (especially since I'd like more visibility
> into what's coming and going).
>
> I also don't dispute that the modem could be hacked to open everything
> up. Has anyone heard of such an exploit?
>
> Dave
>
There are other exploits that you haven't thought of: The Linux kernel
and the programms used to open up ports (ie inetd or xinetd). These
programs are not free of bugs; therefore, they are potential security
risks that you are allowing anyone from the outside to have access to.
Using a firewall gives you an added level of protection (yes, I know
that iptables and ipchains have had security holes). It also gives
you the ability to log any attempts to crack your system.
- Mark
More information about the clue-tech
mailing list