Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > DSL connection - How secure is NAT?

Reply
Thread Tools

DSL connection - How secure is NAT?

 
 
Scooter
Guest
Posts: n/a
 
      03-05-2005
I Have a 1721 with a second Ethernet NIC. The WIN-ENET1 card is
connected to the DSL modem and doing PPPoE. the IOS that is on it is:
c1700-k9o3sy7-mz.122-11.T10.bin Its been a while since we have used
the Router, so I dont remember whats included in the Feature Set.

I'm using NAT to get out thought the Dynamic assigned address.

How secure is this setup? If I have 3 PCs behind the NATed external
Address can someone connect to that outside address and get access to
the internal Machines?

What should I do to prevent this?

Thanks,
Scott<-

 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      03-05-2005
Hi Scooter,

> I'm using NAT to get out thought the Dynamic assigned address.
>
> How secure is this setup?


Thats begs the question, how much "security" do you want? I will
assume a standard home user level of security requirements, no
business needs.

The "default" configuration for using NAT on Cisco devices only allows
INBOUND traffic to pass that has been REQUESTED by something from the
"inside". No unsolicited traffic can pass inbound through the default
Cisco NAT, so all devices behind the Cisco device doing the NAT are
fairly "safe" from unsolicited traffic.

However remember that the device doing NAT still has a public side
that may need further "protection", its up to the operator of that
device to determine what else they may need to do.

> If I have 3 PCs behind the NATed external
> Address can someone connect to that outside address and get access to
> the internal Machines?


Not unless you specifically allow something through the NAT device.

> What should I do to prevent this?


As for as NAT goes, whatever is behind a basic NAT setup should be
reasonably safe, PROVIDED you do not have anything configured to allow
something through.

Cheers..............pk.
 
Reply With Quote
 
 
 
 
Scooby
Guest
Posts: n/a
 
      03-05-2005
"Peter" <(E-Mail Removed)> wrote in message
news:42294493$(E-Mail Removed)...
> Hi Scooter,
>
> > I'm using NAT to get out thought the Dynamic assigned address.
> >
> > How secure is this setup?

>
> Thats begs the question, how much "security" do you want? I will
> assume a standard home user level of security requirements, no
> business needs.
>
> The "default" configuration for using NAT on Cisco devices only allows
> INBOUND traffic to pass that has been REQUESTED by something from the
> "inside". No unsolicited traffic can pass inbound through the default
> Cisco NAT, so all devices behind the Cisco device doing the NAT are
> fairly "safe" from unsolicited traffic.
>
> However remember that the device doing NAT still has a public side
> that may need further "protection", its up to the operator of that
> device to determine what else they may need to do.
>


Actually, the default as you described is for PAT. However, if the user has
a pool of addresses that are assigned and the address will use all ports,
then the devices are left wide open.

> > If I have 3 PCs behind the NATed external
> > Address can someone connect to that outside address and get access to
> > the internal Machines?

>
> Not unless you specifically allow something through the NAT device.
>


Yes... Nat, simply is an address translation. Once the translation is
setup, all traffic will pass.

> > What should I do to prevent this?

>
> As for as NAT goes, whatever is behind a basic NAT setup should be
> reasonably safe, PROVIDED you do not have anything configured to allow
> something through.
>
> Cheers..............pk.


I would at a minimum add an access list and use the keyword 'established'.
However, that has it's own problems. If you have the license, use CBAC.

Hope that helps,

Jim


 
Reply With Quote
 
mega
Guest
Posts: n/a
 
      03-05-2005
Scooby wrote:

> I would at a minimum add an access list and use the keyword
> 'established'.
> However, that has it's own problems. If you have the license, use CBAC.


Yes. without that, anybody knowing the local inside address of a natted host
can at least ping it, at worst don't know.Surely you can discover what 's
behind a nat if admin isn't protecting it with access list or other.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-05-2005
In article <(E-Mail Removed) .com>,
Scooter <(E-Mail Removed)> wrote:
:I'm using NAT to get out thought the Dynamic assigned address.

:How secure is this setup?

Not very. See a discussion of the issue I wrote up awhile ago,
http://groups.google.ca/groups?selm=...c.umanitoba.ca

If you want some real harsh (but theoretically correct) criticism of
NAT, then look for postings by Melinda Shore.
--
Are we *there* yet??
 
Reply With Quote
 
Scooter
Guest
Posts: n/a
 
      03-13-2005
So I just Picked up a PIX 501 10 User on eBay for $307. I'm guessing
that should pretty much eliminate my security issues. (-; Of Course
I'll need to configure it right! (-;

Has the same IOS as my PIX 515 at the office, so is should be okay.

Thank you all for the replies!

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
Is D-Link DSL-604T same as D-Link DSL-604+ ? norm Wireless Networking 6 11-18-2005 10:25 AM
Re: Cisco836 and German Telekom DSL (T-DSL) Daniel Meyer Cisco 1 07-25-2003 04:01 PM



Advertisments