DSL connection - How secure is NAT?

Discussion in 'Cisco' started by Scooter, Mar 5, 2005.

  1. Scooter

    Scooter Guest

    I Have a 1721 with a second Ethernet NIC. The WIN-ENET1 card is
    connected to the DSL modem and doing PPPoE. the IOS that is on it is:
    c1700-k9o3sy7-mz.122-11.T10.bin Its been a while since we have used
    the Router, so I dont remember whats included in the Feature Set.

    I'm using NAT to get out thought the Dynamic assigned address.

    How secure is this setup? If I have 3 PCs behind the NATed external
    Address can someone connect to that outside address and get access to
    the internal Machines?

    What should I do to prevent this?

    Thanks,
    Scott<-
    Scooter, Mar 5, 2005
    #1
    1. Advertising

  2. Scooter

    Peter Guest

    Hi Scooter,

    > I'm using NAT to get out thought the Dynamic assigned address.
    >
    > How secure is this setup?


    Thats begs the question, how much "security" do you want? I will
    assume a standard home user level of security requirements, no
    business needs.

    The "default" configuration for using NAT on Cisco devices only allows
    INBOUND traffic to pass that has been REQUESTED by something from the
    "inside". No unsolicited traffic can pass inbound through the default
    Cisco NAT, so all devices behind the Cisco device doing the NAT are
    fairly "safe" from unsolicited traffic.

    However remember that the device doing NAT still has a public side
    that may need further "protection", its up to the operator of that
    device to determine what else they may need to do.

    > If I have 3 PCs behind the NATed external
    > Address can someone connect to that outside address and get access to
    > the internal Machines?


    Not unless you specifically allow something through the NAT device.

    > What should I do to prevent this?


    As for as NAT goes, whatever is behind a basic NAT setup should be
    reasonably safe, PROVIDED you do not have anything configured to allow
    something through.

    Cheers..............pk.
    Peter, Mar 5, 2005
    #2
    1. Advertising

  3. Scooter

    Scooby Guest

    "Peter" <> wrote in message
    news:42294493$...
    > Hi Scooter,
    >
    > > I'm using NAT to get out thought the Dynamic assigned address.
    > >
    > > How secure is this setup?

    >
    > Thats begs the question, how much "security" do you want? I will
    > assume a standard home user level of security requirements, no
    > business needs.
    >
    > The "default" configuration for using NAT on Cisco devices only allows
    > INBOUND traffic to pass that has been REQUESTED by something from the
    > "inside". No unsolicited traffic can pass inbound through the default
    > Cisco NAT, so all devices behind the Cisco device doing the NAT are
    > fairly "safe" from unsolicited traffic.
    >
    > However remember that the device doing NAT still has a public side
    > that may need further "protection", its up to the operator of that
    > device to determine what else they may need to do.
    >


    Actually, the default as you described is for PAT. However, if the user has
    a pool of addresses that are assigned and the address will use all ports,
    then the devices are left wide open.

    > > If I have 3 PCs behind the NATed external
    > > Address can someone connect to that outside address and get access to
    > > the internal Machines?

    >
    > Not unless you specifically allow something through the NAT device.
    >


    Yes... Nat, simply is an address translation. Once the translation is
    setup, all traffic will pass.

    > > What should I do to prevent this?

    >
    > As for as NAT goes, whatever is behind a basic NAT setup should be
    > reasonably safe, PROVIDED you do not have anything configured to allow
    > something through.
    >
    > Cheers..............pk.


    I would at a minimum add an access list and use the keyword 'established'.
    However, that has it's own problems. If you have the license, use CBAC.

    Hope that helps,

    Jim
    Scooby, Mar 5, 2005
    #3
  4. Scooter

    mega Guest

    Scooby wrote:

    > I would at a minimum add an access list and use the keyword
    > 'established'.
    > However, that has it's own problems. If you have the license, use CBAC.


    Yes. without that, anybody knowing the local inside address of a natted host
    can at least ping it, at worst don't know.Surely you can discover what 's
    behind a nat if admin isn't protecting it with access list or other.
    mega, Mar 5, 2005
    #4
  5. In article <>,
    Scooter <> wrote:
    :I'm using NAT to get out thought the Dynamic assigned address.

    :How secure is this setup?

    Not very. See a discussion of the issue I wrote up awhile ago,
    http://groups.google.ca/groups?selm=bqigs8$pbq$

    If you want some real harsh (but theoretically correct) criticism of
    NAT, then look for postings by Melinda Shore.
    --
    Are we *there* yet??
    Walter Roberson, Mar 5, 2005
    #5
  6. Scooter

    Scooter Guest

    So I just Picked up a PIX 501 10 User on eBay for $307. I'm guessing
    that should pretty much eliminate my security issues. (-; Of Course
    I'll need to configure it right! (-;

    Has the same IOS as my PIX 515 at the office, so is should be okay.

    Thank you all for the replies!
    Scooter, Mar 13, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    536
    Blinky the Shark
    Aug 24, 2004
  2. Miss Mary
    Replies:
    1
    Views:
    1,442
    sean.archer
    Sep 21, 2007
  3. Replies:
    0
    Views:
    562
  4. Replies:
    0
    Views:
    610
  5. cade

    Secure Auditor secure your windows

    cade, Apr 28, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    479
Loading...

Share This Page