> -----Original Message-----
> From: Steve Riley (MCS) [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 31, 2001 5:44 AM
> To: [EMAIL PROTECTED]
> Subject: Penetrating a NAT
>
>
> Some "security experts" claim that NAT could be used as a firewall (or
> let's say, some means of hiding the internal network).
I've asserted that a few times in the past. There is an issue with most NAT
implementations, though, that they will happily pass packets that are
correctly addressed to the internal (hidden) network, provided an attacker
can get such packets routed to the outside.
>>[Michael Batchelder]
>>No security expert I know would assert such a thing. If they did, I'd
>>give their title an instant expertectomy.
D'oh. Guess I was never an expert, then.
Once again (for like the MILLIONTH time) I invite anyone to explain the
additional security that filters provide over dynamic (many to one) NAT
where there are no static NAT mappings or PAT mappings. I get to posit that
the NAT implementation does not allow packets from the outside for the
private inside range (unlike Cisco NAT ;).
My claim remains that NAT can provide about as much protection as a dumb
stateful packet filter.
> I have
> a question
> about that. The assumption is that no packets could be sent directly
> from the Internet to clients behind NAT.
Not quite. The assumption is actually that no _session_ is possible. This is
especially true for TCP. For UDP a "session" hijack, DNS spoofing attack etc
is possible, but there's no security delta - it's just as easy through a "Mr
Bulletproof Brand" firewall.
> However, imagine
> this scenario
> and tell me whether it's feasible.
Completely.
[...]
> - ClientB spoofs ServerA's IP, and this time sends his same packet
> containing the hostile code, using ServerA's address as the source.
The point is that you can't do this blind unless you know the expected
sequence numbers. If you have enough control over the channel that you can
find the correct port at the NAT end, though, you can pull the expected seq.
out of the packet.
[...]
> My question is, could this scenario happen in the real world?
Yes, if the channel is being sniffed. Probably not, blind, modulo sequence
number stuff. As many other astute people pointed out, this is no nicer /
nastier because of the involvement of NAT.
[...]
>_________________________________________________________
> Steve Riley
> Microsoft Telecommunications Consulting in Denver, Colorado
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
