Which security experts?? I would like names so I never
make the mistake of consulting with them.
--- "Steve Riley (MCS)" <[EMAIL PROTECTED]>
wrote:
> Some "security experts" claim that NAT could be used
> as a firewall (or
> let's say, some means of hiding the internal
> network). I have a question
> about that. The assumption is that no packets could
> be sent directly
> from the Internet to clients behind NAT. However,
> imagine this scenario
> and tell me whether it's feasible.
>
> - ClientA (IP 10.10.10.10) sends a request to
> ServerA (100.100.100.100).
> ports are TCP/2000 and TCP/80 respectivly.
>
> - NATA (assuming that it's ClientA's edge router)
> changes the IP from
> 10.10.10.10 to 200.200.200.200 and the source port
> from TCP/2000 to
> TCP/5000. Of course, it recomputes the TCP checksum
> and all the other
> headers, registers this in its connection table, and
> routes the packet
> to ServerA.
>
> - ClientB sniffs the channel and finds out that NATA
> is sending traffic
> to ServerA on port TCP/80 with a source port of
> TCP/5000.
>
> - ClientB inspects the payload, looks at the HTTP
> headers, and finds
> that the sender is using BrowserX which has a flaw
> that could allow a
> malicious code to crash the machine.
>
> - ClientB sends a packet (note: no address crafting,
> yet) that contains
> the malicious code to NATA with source port TCP/80
> and dest port
> TCP/5000.
>
> - ClientB waits for a while, sniffs the channel, and
> finds out that NATA
> is still routing traffic sent to ServerA on port
> TCP/80 and source port
> TCP/5000. However, ClientB wants to make sure that
> this is not for
> another client, and inspects the TCP headers going
> to ServerA, and finds
> out that there was no TCP SYN after he sent his
> malicious packet
> containing that hostile code. Therefore, ClientA
> didn't crash and the
> NAT protected it.
>
> - ClientB concludes that NATA was smart enough to
> include the
> destination address in the connection table, and it
> was not routing
> inside according to port translation alone.
>
> - ClientB spoofs ServerA's IP, and this time sends
> his same packet
> containing the hostile code, using ServerA's address
> as the source.
>
> - ClientB is still monitoring the channel, but now
> there's no more
> traffic from NATA to ServerA on TCP/5000 and TCP/80.
> He feels joy, as he
> hacked ClientA, supposedly protected by a NAT
> machine and a non-routable
> address.
>
> My question is, could this scenario happen in the
> real world? Sure seems
> plausible to me.
>
>
___________________________________________________________
> Steve Riley
> Microsoft Telecommunications Consulting in Denver,
> Colorado
> [EMAIL PROTECTED] +1 303 521-4129
> (mobile)
> [EMAIL PROTECTED] (MSN Messenger)
> www.microsoft.com/ISN/tech_columnists.asp#2
> <www.microsoft.com/ISN/tech_columnists.asp#2>
> Applying computer technology is simply finding the
> right wrench to pound
> in the correct screw.
>
> -
> [To unsubscribe, send mail to
> [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
