Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NAT external/Public IP

from [Security Incidents] Network Security [Permanent Link]
Subject: RE: NAT external/Public IP
Date: Tue, 30 Oct 2007 21:44:53 +0200 
Why not Security by Design plus Security by Obscurity?

If the additional obscurity does not compromise the design, in any way,
then we may in-fact end up with better security. Many real-world
projects include elements of both strategies.

Do you claim that you can make a host "secure"? I do NOT believe that
this is possible. Why not use every available technique to help secure,
obscure and minimise your network presence?

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: 30 October 2007 07:04 PM
To: security-basics@securityfocus.com
Subject: Re: NAT external/Public IP

On 2007-10-30 Grant Donald wrote:

With PAT private IP addresses are hidden from the outside world. This
basically makes the job of hacking into a system more difficult,
because the original host's IP address and source port is unknown. 


This is mere obscurity. It doesn't make a host any more or less secure
than it already is. Like I said before: either a host is secure, then it
doesn't matter if an attacker knows the address, or it isn't secure,
then you're "security" is based on the hope that an attacker won't
discover the host.


Depending on firewall capabilities (or lack of capabilities) ports may
need to be opened inbound for certain applications to work (e.g..
ident & pptp). A horizontal scan of such a network could produce a
wealth of knowledge, if that network does not support port address
translation.


Ummm... wot? Why would you want to allow any inbound connections into
your LAN? And how would an attacker be able to scan your network from
the outside? For some obscure reason you seem to assume that using
public IP addresses in your LAN means that the firewall at the perimeter
magically allows access from WAN to LAN. This assumption is wrong.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

DISCLAIMER: This email and any files transmitted with it are confidential to 
DataCash Group plc and its group companies. It is intended only for the person 
to whom it is addressed. If you have received this email in error, please 
forward it to info@datacash.com with the subject line "Received in Error".  If 
you are not the intended recipient you must not use, disclose, copy, print, 
distribute or rely on this email or any of its transmitted files.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NAT external/Public IP, Ansgar -59cobalt- Wiechers
Next by Date:  Finding out IP address of external interface of web proxy, Dev Null
Previous by Thread:  Re: NAT external/Public IP, Ansgar -59cobalt- Wiechers
Next by Thread:  Re: NAT external/Public IP, crazy frog crazy frog
Indexes:  [Date] [Thread] [Top] [All Lists]