Re: NAT Secure?

From: the Pull (iuoi@iou.com)
Date: 09/24/02 

From: the Pull <iuoi@iou.com>
Date: Tue, 24 Sep 2002 05:27:43 GMT

"Berk S. Daemon" wrote:
>
> > cait wrote:
> > >
> > > How secure is NAT? It appears that when setting up the local IPs, most
> > > people follows the convention of 10.0.0.1, 10.0.0.2, 10.0.03, etc...
> Are
> > > these IPs not accessible by outsiders, because they're reserved and not
> > > unqiue. These IPs are only recognizable within a LAN. Is that what
> makes
> > > NAT secure from internet attack?
>
> NAT itself is not a firewall. It may 'compliment' a firewall (packet filter,
> application level proxy, etc.) but it in of itself is not a means of
> securing your network(s) properly. Security through obscurity is not a good
> idea!
>
> > Nothing is secure. Anyone telling you you can be 100 percent secure
> > is usually ignorant, sometimes lying. Look at the biggest virii in
> > the past few years. They get in through your browser. They get out
> > through your mail client. Firewalls don't stop that. They never will.
> >
> > Also, while hackers tend to like trojans which are servers, server trojans
> > offer no real advantage over simply sending data out. If you can
> > get out, so can they.
> >
> > >
> > > I guess I'm trying to understand how TCP/IP works. How does the router
> stop
> > > the internet TCP/IP traffic from going into subnets (10.0.0.x) within a
> LAN?
> >
> > 10.x.x.x <--- not accessible from the internet
>
> Technically, it's non 'internet' routable address. Read RFC1918 for more
> details.

Technically "not an internet routable address" and not accessible from
the internet mean exactly the same thing.

>Ever hear of spoofing or source routing? >=) Then you would know
> that NAT routers can be bypassed in many ways. I always recommend filtering
> source routing, spoofing, RFC1918 net's coming in from the outside, and
> going out from the inside.

I have written spoofers. You spoof an address, you have a one
way connection. If you can bypass the system via spoofing from
inbound traffic in this manner, your system is ancient and has
some serious problems.

>
> 10.x.x.x/8, 172.16-31.x.x/12 & 192.168.x.x/24 are RFC1918 compliant
> addresses. There are other reserved ones too, in various other RFC's.

...

So is 127.0.0.1, but I would not bring these up because if you
don't know this you don't use computers.

>
> > So, you can't have a trojan server on there. Your services which listen
> > on ports can not be broken into because they are blocked by the
> > firewall. So, the only means of attack are such applications as browsers,
> > email, news, IM clients. Not web servers, not netbios, etc.
>
> Of course they can! Most 'newer' or smater trojans now intiate a tunnel from
> the inside out... Hence, an easy return path...

Actually, getting around NAT's is a real sonofabitch, and I have
been working on that for years since I have worked at a p2p company. Not
that there are not methods, there are, as you say. These methods have
been around for a few years. Some of them are employed in some IM
and p2p apps. They work okay, not great, but okay, under certain
circumstances.

There may be a few implementations of this, I believe I recall one
or two trojans made in the past two years which implement these
techniques. But, this is not including the massive number of keyloggers
and spyware that can send information out. In fact, because you
can send information out from a natted system... there really is
little or no need for an application to act as a server at all.

And, then again, you can have trojans that work quite simply merely
by registering themselves as a high privilege activex or java applet...
whereby merely sending commands may be done secretly through email
or web links. But, again, you have information going out, you really
don't need to interact with the thing.

>
> Like you said: "Nothing is secure. Anyone telling you you can be 100 percent
> secure is usually ignorant, sometimes lying."
> Might want to think again about what you just wrote above; in where you
> mention that the services can't be broken into because they're behind a NAT
> router. I'd had to give that a 101% wrong. Port redirection/port mapping,
> spoofing, etc.

I wasn't assuming someone was employing a firewall which would be
fooled by spoofing.

Port redirection/port mapping... I have written these as well, and
I am not sure where you are going with that. If you are talking about
mapping a port through a proxy, through acceptable ports... then you
are talking about the firewall already being breached... and that doesn't
have to do with scanning the listening services behind the firewall.

>
> > A lot of attacks do involve attackers merely scanning for open
> > holes. Scanning does not work when you have a firewall (though the
> > firewall itself could have such holes).
>
> Scanning does work when you have a firewall, just depends how you have it
> configured.

If you have a deeply fucked up firewall, which has a hole to allow
spoofing, then yes, scanning would work. I am unaware of any firewall
configuration which would allow this.

>Plus, if you're running say a web server on port 80 and someone
> scans that ip, what do you think will come up from the scan? Port 80 of
> course! Now, depending on that web server, it could be exploitable,
> including the NAT Router/Firewall itself ontop of that.

... if you serve port 80 through the firewall, then yes, it can
be scanned, of course.

>
> Just my $0.02. 

-- 

Sweeper - the file scanner
http://members.cox.net/osioniusx