It sounds like you're using public IPs internally. That reveals a lot of
information as to your internal network naming scheme and available subnets,
etc. It may also expose your internal DNS servers reealing more information.
A misconfiguration on the firewall could potentially expose the internal
hosts directly.
Is the proxy server just hiding their web browsing connections or is is
hiding ICMP, FTP, telnet, etc. as well?
What addon services are you talking about that require new connections
inbound (an example, please)? It's far more common to use a private IP range
internally.
NATing a whole subnet does nothing more than tell the world what the
external IP is for your firewall, which could be figured out in about ten
minutes anyway.
If your firewall external interface is on a different subnet than your
internal hosts, you would be far more secure to hide NAT on the firewall and
then add ACLs on the router between your firewall and your ISP to drop the
routes for your internal subnets. That's what I do. Even if a firewall
misconfiguration (or failure) exposes the internal hosts, the ACLs on the
router keeps malicious traffic from getting to them. This technique also
drops your log size a lot. I went from 1.5 million to 2.0 million lines of
logs a day to about 350,000 a day now because the router drops all of that
scanning traffic before it ever hits the firewall..
FWIW,
RAy
From: Ian Harris <harrisi AT TOOWOOMBA.QLD.GOV DOT AU>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] IS hiding behind NAT always necessary
Date: Tue, 26 Apr 2005 10:01:53 +1000
At our org. most of our users ips are not hiding behind a NAT, but will use
the proxy servers address. Nowadays thou, there seems to be more addon
services that require ports that open separate tcp connnections back to the
originating host.
This then requires the originating host to be NAT'ted for the service to
work.
My question is whether NAT'ing a whole subnet is a done thing nowadays...
and
does it increase the security risk.
Does anyone have any thoughts on this?
cheers
Ian
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
