RE: NAT firewalls possibly insecure by nature?

From: Matt.Carpenter@alticor.com
Date: 01/14/02 

To: <fostware@iinet.net.au>
From: Matt.Carpenter@alticor.com
Date: Mon, 14 Jan 2002 10:28:22 -0500

That's not my understanding of passive ftp.

                                                                                                                   
                    "Craig
                    Foster" To: "'Focus-Ms@Securityfocus. Com'" <focus-ms@securityfocus.com>
                    <fostware@iin cc:
                    et.net.au> Subject: RE: NAT firewalls possibly insecure by nature?
                                                                                                                   
                    01/12/2002
                    12:36 AM
                    Please
                    respond to
                    fostware
                                                                                                                   
                                                                                                                   

The main problem you have is once a machine has made a connection out,
there are mechanisms to send information back along that connection. A
case in point is passive ftp, which opens a connection, and then requests
data to be sent back along that same connection.

Trojans are the going to be your main worry here, as they are very often
designed to make a connection out. Obviously AntiVirus software makes a
difference here.

The other option here is assessing your company needs, and blocking all
traffic in & out, but making mail (pop3 & smtp) port forwarded to the mail
server, and have transparent web (& ftp) proxying enabled. This means only
web and mail are transferred, and if someone *really* wants another
program connecting to the network you know about it, and can open that
port only for NAT.

This is a common setup within companies but it does require, amongst other
things, management support, needs assessment, and a legal
clause/explanation in your company policy manual.

Regards,

Craig Foster

> -----Original Message-----
> From: TWyrick@paulo.com [mailto:TWyrick@paulo.com]
> Sent: Friday, 11 January 2002 11:38 PM
> To: focus-ms@securityfocus.com
> Subject: NAT firewalls possibly insecure by nature?
>
>
> I was following a message thread on the "Slashdot" web-site
> on Wednesday
> (discussion about the Smoothwall PC firewall product based
> on Linux), and
> one reader made a comment that surprised me.
>
> He claimed that firewalls using NAT are inherently
> insecure, because someone
> with enough technical know-how can "trick" it into passing
> packets back and
> forth bi-directionally, thereby making it "transparent" and
> letting the
> hacker through to any system behind it.
>

Relevant Pages

  • Passive FTP
    ... His passive ftp work on non-standart port ... Here log of connection. ... 234 AUTH TLS successful ... Data Socket Error: Connection refused ...
    (microsoft.public.isa)
  • Re: Security setting to prevent passive ftp?
    ... On Sat, 23 Jul 2005, Alexander Dalloz wrote: ... >> For my users that use passive ftp, when they connect to ncftpd on my ... >> sends data, the connection gets dropped. ... Clemson University Math Sciences ...
    (Fedora)
  • Re: Error when FTPing
    ... >firewall s/w hence why we upgraded. ... >connection they can't connect they get connection failure. ... well can they get *any* kind of passive FTP connection working to ... Internet Explorer? ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: [SLE] susefirewall2 and ftp
    ... >> difference between active and passive ftp? ... > after getting the connection in his port 21, opens an outgoing connection ... > to the client in port 20. ...
    (SuSE)
  • Re: IE6 and ftp
    ... Passive Ftp, enabled or disabled, on my pc it doesn't change the final result... ... Even the connection to ftp.microsoft.com is denied... ... Is there bug in ie6? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)