Some "security experts" claim that NAT could be used as a firewall (or
let's say, some means of hiding the internal network). I have a question
about that. The assumption is that no packets could be sent directly
from the Internet to clients behind NAT. However, imagine this scenario
and tell me whether it's feasible.
- ClientA (IP 10.10.10.10) sends a request to ServerA (100.100.100.100).
ports are TCP/2000 and TCP/80 respectivly.
- NATA (assuming that it's ClientA's edge router) changes the IP from
10.10.10.10 to 200.200.200.200 and the source port from TCP/2000 to
TCP/5000. Of course, it recomputes the TCP checksum and all the other
headers, registers this in its connection table, and routes the packet
to ServerA.
- ClientB sniffs the channel and finds out that NATA is sending traffic
to ServerA on port TCP/80 with a source port of TCP/5000.
- ClientB inspects the payload, looks at the HTTP headers, and finds
that the sender is using BrowserX which has a flaw that could allow a
malicious code to crash the machine.
- ClientB sends a packet (note: no address crafting, yet) that contains
the malicious code to NATA with source port TCP/80 and dest port
TCP/5000.
- ClientB waits for a while, sniffs the channel, and finds out that NATA
is still routing traffic sent to ServerA on port TCP/80 and source port
TCP/5000. However, ClientB wants to make sure that this is not for
another client, and inspects the TCP headers going to ServerA, and finds
out that there was no TCP SYN after he sent his malicious packet
containing that hostile code. Therefore, ClientA didn't crash and the
NAT protected it.
- ClientB concludes that NATA was smart enough to include the
destination address in the connection table, and it was not routing
inside according to port translation alone.
- ClientB spoofs ServerA's IP, and this time sends his same packet
containing the hostile code, using ServerA's address as the source.
- ClientB is still monitoring the channel, but now there's no more
traffic from NATA to ServerA on TCP/5000 and TCP/80. He feels joy, as he
hacked ClientA, supposedly protected by a NAT machine and a non-routable
address.
My question is, could this scenario happen in the real world? Sure seems
plausible to me.
___________________________________________________________
Steve Riley
Microsoft Telecommunications Consulting in Denver, Colorado
[EMAIL PROTECTED] +1 303 521-4129 (mobile)
[EMAIL PROTECTED] (MSN Messenger)
www.microsoft.com/ISN/tech_columnists.asp#2
<www.microsoft.com/ISN/tech_columnists.asp#2>
Applying computer technology is simply finding the right wrench to pound
in the correct screw.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
