Archived from groups: comp.security.firewalls (
More info?)
"Smax" <smax371@hotmail.com> wrote in
news:KNJOe.27469$HM1.791654@twister1.libero.it:
> Hi all!
> First of all I have to say "sorry" for my english.. that sometimes is
> not very good.. (I write from italy..)
> A question:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a
> NAT for separate his private network to public network is a "good"
> solution for his security... I know.. that this is a "wrong sentence"
>
... but... I can I demostrate the opposite? how can I by-pass a
> router? it is possible.... I suppose... any suggestions??
> thanks
>
> smax371@hotmail.com
>
>
>
>
All you have to do is write a program a listening server program and
install it on the computer behind the router. Then you write a client
program and install it on a remote/Internet computer and have the server
program send outbound traffic to the remote IP making contact with the
remote client program. The NAT router (most NAT routers for home usage)
is not going to be able to stop the contact or traffic by setting rules
to stop the traffic.
Most NAT routers stop unsolicited inbound traffic by not forwarding the
traffic to the LAN behind the router. Yes, a NAT router has two
interfaces the WAN/Internet network interface the NAT router is
protecting from and LAN interface the network it's protecting.
A device such as a NAT router that is also running network FW software
would be able to stop inbound and outbound traffic by setting filtering
rules to stop the traffic by port, protocol, IP or packet attribute/
state.
As an example, you could install Gibson's *Leaktest* program on a machine
and allow it to phone home and see of the NAT router can stop the traffic
inbound or outbound by setting filtering rules to stop the outbound from
the LAN/IP/machine behind the router to the remote/Internet/IP or stop
inbound from the remote/Internet/IP.
The NAT router separates two networks usually the Internet and the LAN
behind the router and NAT provides a limited means of protecting the LAN
by not forwarding unsolicited inbound request. But NAT is not FW software
where one can set filtering rules to control traffic. Also, most NAT
routers for home usage don't provide traffic logging so one could see if
dubious inbound or outbound traffic to a remote IP was even happening.
So if malware was to be installed on a machine behind the NAT router and
started phoning home, most NAT routers are not going to be to stop the
malware and Leaktest will show you that. A router running network FW
software would be able to stop the traffic.
However, a NAT router is a good first line of defense for the home user.
Duane