A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

NAT Security



 
 
Thread Tools Display Modes
  #1  
Old June 9th 05, 09:27 AM posted to uk.comp.home-networking
Geoff Lane
external usenet poster
 
Posts: 221
Default NAT Security

I appreciate that NAT is not an actual firewall but is supposedly very
secure.

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.

Geoff Lane

  #2  
Old June 9th 05, 09:55 AM posted to uk.comp.home-networking
Dean Jarratt
external usenet poster
 
Posts: 18
Default NAT Security

Geoff Lane wrote in
:

I appreciate that NAT is not an actual firewall but is supposedly very
secure.

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.


Doesn't necessarily have to be a DMZ. Port forwarding will work in most
cases.

'Hackers' may be able to access your local network through the server,
depending on how much security the server has, and depending on what ports
you 'open up'.

My advice is simply open the ports you want the outside world to have
access to, and make sure applications attached to those ports are secured.

It's sometimes a nice idea to open up an FTP port to a machine with an FTP
server hosting no files and seeing who logs onto your FTP server without
authorization.
  #3  
Old June 9th 05, 09:58 AM posted to uk.comp.home-networking
Phil Thompson
external usenet poster
 
Posts: 2,720
Default NAT Security

On Thu, 09 Jun 2005 09:27:33 +0100, Geoff Lane
wrote:

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.


it would give them access to the open ports. So if you have a web
server you port forward only port 80 and they can't use the othe
rports to exploit hole sin Windows.

If you have a DMZ the point is that anything on that part is open to
the outside so you don't put vulnerable stuff on a DMZ. Think of it as
having two locked rooms and you open the door to the DMZ but keep the
LAN room firmly locked.

Phil
--
spamcop.net address commissioned 18/06/04
Come on down !
  #4  
Old June 9th 05, 10:37 AM posted to uk.comp.home-networking
Adam Piggott
external usenet poster
 
Posts: 49
Default NAT Security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geoff Lane wrote:
I appreciate that NAT is not an actual firewall but is supposedly very
secure.


Indeed. Unsolicited traffic, or that to a port which is not forwarded is
rejected.


If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router


They have to have the address of the router to scan it. :-)


and the open machine.


I'm not 100% sure if they can decode the packets sent by the router to get
the IP address of the internal machine. Either way, IMO knowing an address
of an internal machine is mostly trivial.


Would this not give them an opening into the local network.


Yes, which is what you want, assuming you're running a server on the local
network.
As long as the listening program on the server is configured securely etc.
you should have no problem. You could also leave the server program off
when not needed, depending on what it's for.

Also the firewall on the NAT device can be used to only allow specific IP
addresses/ranges to connect to the port, again, if it fits the intended
users of the service.

HTH!

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCqA3H7uRVdtPsXDkRAmRPAJ9DH4yNbAJmM0Guxb/o+cyKusL1JACgm46j
MLEC+Cg7fLdPe/bmPV4+uZ0=
=1vIB
-----END PGP SIGNATURE-----
  #5  
Old June 9th 05, 11:08 AM posted to uk.comp.home-networking
poster
external usenet poster
 
Posts: 1,542
Default NAT Security

On 09 Jun 2005 09:27, Geoff Lane wrote:

I appreciate that NAT is not an actual firewall but is supposedly very
secure.


If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.


Possibly, but you then have a firewall on the server handling whatever

In my case, when using a PC on my LAN for e-mail, it was set to accept only
from certain specific IP addresses (mail going to various domains on a few
hosting services would forward to a mail address where the domain had its
MX record pointing to my ADSL connection... someone sending direct will
be blocked by the firewall and only mail via those hosting services was
accepted). Clearly it depends what you are using the machine for - mail
is one of the worst examples as you'd normally want to make it accept any
incoming traffic, however for SSH / VNC you may want to allow access only
to a small number of remote IP addresses, so the fact a port is 'open' is
still not much good from other IP addresses... Peter M.
--

E-mail + files - 30 day free trial - http://web.vfm-deals.com/runbox/
Can be added as an MX record, so your domain mail gets stored safely,
with IMAP / POP / SMTP (not locked to port 25) facilities.

USENET news service ? http://tinyurl.com/3rjw4 (plans from under US$5)
  #6  
Old June 9th 05, 02:23 PM posted to uk.comp.home-networking
Paul D.Smith
external usenet poster
 
Posts: 287
Default NAT Security

"Geoff Lane" wrote in message
...
I appreciate that NAT is not an actual firewall but is supposedly very
secure.

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.

Geoff Lane


Any server with an open port is potentially vulnerable and could compromise
your network. If you want to be very safe/paranoid, you can do the
following...

Modem --- NAT/firewall #1 --- Server
|
+--------- firewall #2 -------- Your LAN

Now you explicitly connect to your server as if it's as untrusted as the
rest of the Internet. Assuming you have the firewalls all on, you've
created a DMZ where your server is (a little bit) vulnerable but your own
LAN should be less so.

Paul DS.


  #7  
Old June 9th 05, 06:09 PM posted to uk.comp.home-networking
Geoff Lane
external usenet poster
 
Posts: 221
Default NAT Security

On Thu, 9 Jun 2005 08:55:09 +0000 (UTC), Dean Jarratt
wrote:

I appreciate that NAT is not an actual firewall but is supposedly very
secure.

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.


It's sometimes a nice idea to open up an FTP port to a machine with an FTP
server hosting no files and seeing who logs onto your FTP server without
authorization.


That's quite a good idea, I'll give that a try when I set up my
network properly, at the moment only one of two laptops connect as and
when required but I intend to connect an older desktop machine as a
file server.

Geoff Lane


  #8  
Old June 9th 05, 06:16 PM posted to uk.comp.home-networking
Geoff Lane
external usenet poster
 
Posts: 221
Default NAT Security

On Thu, 09 Jun 2005 09:58:45 +0100, Phil Thompson
wrote:

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.


it would give them access to the open ports. So if you have a web
server you port forward only port 80 and they can't use the othe
rports to exploit hole sin Windows.


I'm not paranoid (I hope) but if I understand potential openings I can
be sensible regarding securing files and safeguarding against viruses
etc.

If you have a DMZ the point is that anything on that part is open to
the outside so you don't put vulnerable stuff on a DMZ. Think of it as
having two locked rooms and you open the door to the DMZ but keep the
LAN room firmly locked.


I think I understand, for the secure part of the network I suppose I
could set up the IP filter to only allow connection from the local
network.

Geoff Lane

  #9  
Old June 9th 05, 06:22 PM posted to uk.comp.home-networking
Geoff Lane
external usenet poster
 
Posts: 221
Default NAT Security

On Thu, 09 Jun 2005 10:37:11 +0100, Adam Piggott
wrote:

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router


They have to have the address of the router to scan it. :-)


I think I typed it the wrong way round :-)) but are there not
programs used by the 'crackers' that port scan masses of IP addresses.

I'm not 100% sure if they can decode the packets sent by the router to get
the IP address of the internal machine. Either way, IMO knowing an address
of an internal machine is mostly trivial.


It's just when you read that some US Government computer has been
hacked it would appear nothing is really secure.

Also the firewall on the NAT device can be used to only allow specific IP
addresses/ranges to connect to the port, again, if it fits the intended
users of the service.


At te moment I have no specific IP rules set up on my Draytek 2600,
the router and my software FW ZoneAlarm seem to keep me quite secure.

Geoff Lane

  #10  
Old June 9th 05, 06:29 PM posted to uk.comp.home-networking
Geoff Lane
external usenet poster
 
Posts: 221
Default NAT Security

On Thu, 9 Jun 2005 14:23:25 +0100, "Paul D.Smith"
wrote:

Any server with an open port is potentially vulnerable and could compromise
your network. If you want to be very safe/paranoid, you can do the
following...

Modem --- NAT/firewall #1 --- Server
|
+--------- firewall #2 -------- Your LAN

Now you explicitly connect to your server as if it's as untrusted as the
rest of the Internet. Assuming you have the firewalls all on, you've
created a DMZ where your server is (a little bit) vulnerable but your own
LAN should be less so.


I'm not sure if I follow this one, your route to server via FW#1
appears to go through the NAT but FW#2 direct to the modem

The FWs you refer to, are they software FWs or hardware.

Geoff Lane

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN Security Geoff Lane uk.comp.home-networking (UK home networking) 0 April 18th 05 08:26 PM
PC Security David Bradley uk.telecom.broadband (UK broadband) 1 January 30th 05 11:27 AM
Security David Bradley uk.telecom.broadband (UK broadband) 10 December 14th 04 09:48 PM
ad hoc security Jim uk.comp.home-networking (UK home networking) 23 November 30th 04 09:29 AM
Help with security please Cyberdog uk.comp.home-networking (UK home networking) 6 April 12th 04 02:05 AM


All times are GMT +1. The time now is 07:51 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.