[TriLUG] OT: Router vs Firewall, Was: OT: strange happenings - self booting server?

Ryan Leathers ryan.leathers at globalknowledge.com
Fri Apr 14 12:13:58 EDT 2006


Brian,

NAT does not give you stateful inpection.  Imagine the example of shell
shoveling.  Through some exploit, an outbound connection is made from
your network, through the NAT, to some destination.  Said exploit
permits a shell to be tossed at the destination so the remote attacker
now has an interactive connection right through your NAT.  (People
sometimes use netcat to do this, thwarting the office security policy)
Obviously, preventing the exploit in the first place is desirable, but
if you are using a stateful firewall there is an excellent chance you'll
be protected from this kind of exploit.

Ryan

On Fri, 2006-04-14 at 10:48 -0400, Brian Henning wrote:
> Okay, since there's still a lot I have to learn, I'll ask the question:
> 
> What do you gain from having a firewall behind a NAT router with no port 
> forwards?  Speaking only in terms of inbound protection, of course. 
> Obviously a firewall can filter traffic in both directions.  Can one not 
> depend on a forwardless NAT router to simply drop all incoming 
> connection attempts?  Are there packets, or methods of connecting, that 
> can somehow sneak through such a NAT setup and reach machines on the inside?
> 
> In all the networks I administer, firewall + router is the standard 
> operating procedure, so I'm just interested in more of the reasons why 
> it's a good idea (that is, I don't need any convincing to start doing it).
> 
> As always, both lengthy explanations and links to reading material are 
> appreciated equally. :-)
> 
> Cheers,
> ~B
> 
> P.S. A linux box with iptables configured on the "reject everything but 
> _____" principle counts as "good," right? :-)
> 
> 
> 
> Cristobal Palmer wrote:
> > So the backstory is that we (Brian + Cerient) ate lunch, and I told
> > Brian about this... *ahem* ...friend of mine who insisted to me that a
> > router is always a firewall. When I say insisted, I mean he followed
> > me after I'd gotten up and left the room. I mean he emailed me the
> > next morning to follow up on his insistence.
> > 
> > I... uhh... have some weird friends. Seriously though, get a good
> > firewall everybody. The internets are dangerous.
> > 
> > Vice-chair-ily yours,
> > CMP
> > 




More information about the TriLUG mailing list