Quote:
Originally posted by ratbastid
That's not entirely true. There IS no route to internal machines from outside, except for explicitly forwarded ports. NAT allows internal machines to connect out transparently by proxy, but there's no way for Code Red or anything else to make its way to a machine on the internal network.
The reason you'd want to do it with a little router rather than a whole machine running a firewall is because there's nothing to hack in a little router. If I can crack a firewall box, I'm in the internal network. I can't crack a little home router because there's not really any OS there to crack. I mean, there's an embedded OS there, but I couldn't pull a shell on it. What answers on the IP that my cable service assigns is a router that doesn't respond on any port (except for a couple I've explicitly forwarded).
None of my internal machines have firewalls of any kind, and I've never been touched by Code Red, Messenger pop-ups, or anything else like that.
|
You don't need to get a shell to bypass a firewall. Assuming there are no bugs in their network stack, and no forwarded ports, though, it'll be very difficult to break through. It's a bad assumption to make that no non-routable packets will hit the external interface of a NAT router, by the way.
For this reason and others, NAT has nothing to do with security. A firewall, on the other hand, does.
It just so happens that every consumer "router" device has firewall functionality.
I know most of you are probably going to dismiss my points, but I thought it deserved mentioning anyway.