Firewall question

Posted on 2011-04-28
Last Modified: 2012-06-27
My buddy was supporting a small business network (tree care company).  The software application that has been sold to them under the guise of client-server software was actually a desktop application database that has been kept on a shared folder in the server.  Application was having performance issues and lockups.  So my friend was in the process of reconfiguring network when he got audited.  As part of the reconfiguration, filtering on sonic wall firewall was turned off.  However, the firewall was still in place and NAT'd (private IP on LAN port / Public IP on WAN port).  The auditor who is a related to the software vendor presented the 'finding' (of temporarily turning off the outbound internet traffic filtering) as a 'dire' security threat that is going to bring down this 20 user network/risk business.  Unfortunately the owner bought it and my buddy is being relieved of his responsibilities.  The application response has improved (possibly after software patch/upgrade by the software vendor who was onsite with the auditor) and everything now is blamed on the firewall configuration.  The public WAN IP is not used for email/web/ftp services where the IP reputation is at stake if a rogue machine inside the network acts up.

The question is
(1) Can someone on the public / WAN side  (internet) easily traverse the NAT'd firewall and access/control the pc inside the network and risk the business in this situation ?


Question by:patp22
    LVL 10

    Expert Comment

    I'm not terribly familiar with Sonicwall firewalls so I'm not sure what the 'filtering' setting does, but just answering as a general firewall it is not 'easy'.  NAT is certainly not the best security measure but it is very good at hiding private IP identities in the world.  Most breaches are due to holes or ports being left open in a firewall configuration and a hacker finding it with a port scan.  

    As long as access-lists are configured very tightly to only allow the absolutely necessary traffic to flow through the firewall breaches are unlikely.  Certainly NAT wouldn't be considered a security hole.
    LVL 31

    Expert Comment

    Can it be done?  Yes, absolutely anything can be done with enough time, skill, money, and desire.  Like gbakies suggests though, it would not be ultra easy, then again, it would not be ultra hard, either.  Turning off filtering on your firewall is just a bad idea.  

    Unless your friend has a vested interest, though, my advise to him would be to walk away and not worry about it.  I took "relieved of his responsibilities" as being fired.  If that is not the case, then the next step would be to do some research about firewall and security and present a well documented "case" for putting firewall filtering back in place.

    LVL 70

    Accepted Solution

    Outbound filtering only?

    Source-NAT, which I assume is many-to-one (lots of internal clients, one external IP) is really not very easy to exploit from outside (not impossible, far from it, but not easy). You can't simply make up an attack from outside and start probing ports, you'd have to hijack an existing outbound session (stored in the session table on the firewall).

    All Outbound filtering does is limit the number of things an outbound request can connect to. A very good thing, but likely to destroy a business if it's not in place? I doubt it.

    I can't help but think the auditor is scaremongering. But I don't know the business, or the traffic profiles, maybe opening up outbound access really does constitute a significant threat.


    Author Comment

    Thanks gbakies/DrUltima

    Yes only outbound filtering was turned off.
    Sonicwall TZ 210  had all inbound ports closed except for Terminal Services.  The application running on the terminal services is a Tree Care Order Entry program.  Total users 15.  No financial / personal social security/ health or other privacy sensitive data is being stored.  The static ip address is also unpublished and do not show as belonging to the company

    I do think that the auditor was scaremongering


    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now