Re: good article on NAT router security
From: John D Loop (jdloop_at_remove.bellsouth.net)
Date: 06/19/04
- Next message: Duane Arnold: "Re: good article on NAT router security"
- Previous message: Michael A. Covington: "Opinions: To NAT or not to NAT?"
- In reply to: steve h.: "good article on NAT router security"
- Next in thread: shopping.nowthor.com: "Re: good article on NAT router security"
- Reply:(deleted message) shopping.nowthor.com: "Re: good article on NAT router security"
- Reply: Duane Arnold: "Re: good article on NAT router security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Jun 2004 15:44:42 -0400
"steve h." <steve2470nonsense@nonsensemailblocks.com> wrote in message
news:1AYAc.134474$Ol3.61090@twister.tampabay.rr.com...
> Busting the NAT Myth
> By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
> Lead Editor, WatchGuard Technologies, Inc.
>
> Have you ever settled down to dinner, only to be interrupted by
> unsolicited telemarketing phone calls? It makes you glad that at work,
> your business has a main number other than your desk phone. If necessary,
> you can tell the company receptionist, "Unless my boss or my spouse
> calls, don't forward any calls to me." Then if telemarketers call the
> main number, looking for you, the receptionist terminates their call
> without bothering you. In fact, if you wanted, you could keep your desk
> phone number completely private so that no one knew it except fellow
> employees and close family members.
>
> However, if you achieved that ideal, would you then say, "My private
> phone number makes me safe in all regards. Now we can fire the company's
> security guards and leave the doors unlocked"? Foolish, right? Yet for
> some reason, many people follow that very logic when concluding that a
> NAT device is a firewall. This article debunks the myth that a NAT device
> is "good enough" security, and explains why you're better off using a
> real firewall to protect your network.
>
> NAT Attacks
> Network Address Translation, or NAT, works roughly like the receptionist
> in our opening illustration. It hides your private, or unregistered,
> network addresses from the public. When packets leave your network,
> heading for the wild Internet, a NAT device replaces all private IP
> source addresses with one public address (usually its own). Since the NAT
> box advertises its own address to the world as the source address, all
> replies from the wild Internet return to the NAT device, analogous to the
> way phone calls to everyone at your company might first come to a main
> phone number. And just as the receptionist answering the main number can
> redirect incoming phone calls to the desired individual, NAT checks an
> internal table to redirect replies to the appropriate computer inside the
> network. If an attacker initiates a connection to your network through
> some oddball port, like 31337, the NAT box would check its table and
> think, "Gee, no one inside this network requested information on port
> 31337. Now I don't know who to send this packet to." Typically, it then
> drops the packet. So, in this sense, NAT-only devices do provide a
> modicum of security. (The rest of this article assumes you understand
> basic NAT, so if the concept is new to you, before continuing you might
> want to read "Using Network Address Translation" and "How and When to Use
> 1:1 NAT.")
>
> Since NAT is designed to do the best it can to allow traffic in, any
> security benefits it provides are mere side-effects. Hackers have
> developed attacks specifically for NAT devices, such as the following.
>
> Exploiting open ports. For port-based NAT, once a NAT device opens a port
> by putting it in the NAT table, all traffic destined to that port is
> allowed through to the local computer identified in the table. NAT
> substitutes unusual ports for well-known ports, but usually derives its
> substitute port numbers from a standard range. Hackers can persistently
> keep guessing at which ports NAT has opened until they get through. Since
> they use automated programs to do this, the hacker doesn't have to be
> overly persistent or lucky -- he just tries a lot of addresses until
> something breaks.
>
> Taking the DMZ server. Some NAT devices can be configured so that packets
> not matching anything in the NAT table are sent to a specified computer,
> rather than discarded. This gives the administrator a chance to ensure
> that good traffic is not lost, and to allow a program to work that won't
> work through NAT. But it's horrible from a security perspective. It means
> the NAT device sends everything through. Once a hacker gets control of
> the one computer where everything goes, he can easily access any other
> computer on the same network.
> Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
> with sufficient technical knowledge, using hacking tools freely available
> on the Internet, can put another user's IP address in the "From" (source)
> field of packets. Since NAT relies on analyzing addresses, false
> addresses compromise NAT devices easily.
>
> Default remote access. Many NAT devices leave a port open to the public
> Internet, to allow remote administration. The port is protected by a
> password. Hackers circulate lists of open ports and the default passwords
> set by the manufacturer of each NAT device. If you haven't changed the
> default password protecting your NAT device, knowledgeable attackers can
> log themselves in and reconfigure your device. Then they have
> administrative privileges, and you don't.
>
> NAT devices were not designed to be true security devices, so they have a
> weak security stance. For example, a hacker can send an "anybody there?"
> message, called a ping, to millions of addresses. Firewalls recognize
> ping and hide themselves. NAT devices respond, letting the hacker know
> he's found a live connection. NAT devices don't do any egress filtering,
> either. So clearly, a NAT device is not a full security solution.
>
> Firewall Advantages
> Don't get us wrong. We like NAT. We think NAT is both cool and necessary.
> Our point is that a real firewall offers additional, significant security
> improvements on top of NAT. Here are a few.
>
> Authenticating connections. A NAT device checks only the source IP
> address, destination IP address, and related port numbers to decide if
> traffic is valid. A real firewall goes further. In addition to IP address
> and port information, the firewall also checks, for example, the sequence
> number of the packet for duplicates or out-of-bound values (hackers try
> to recycle an existing packet header with different data inside). Other
> firewall verification steps include user authentication, packet content
> inspection (e.g., does this HTTP packet really contain HTTP
> information?), and checking the IPs against black-listed sites.
>
> Controlling outbound traffic. Any defense offered by a NAT device deals
> only with inbound connections. Firewalls offer egress filtering -- the
> ability to close outgoing connections. Many Trojans are programmed to
> infect a machine, then "phone home" to their creator, using an obscure
> outbound port; egress filtering can stop this. Similarly, when worms
> infect a machine and seek to spread, egress filtering can prevent your
> network from becoming the worm's next launching pad.
>
> Securely handling special cases. True firewalls are aware of, and
> support, numerous applications that require special handling. Some NAT
> and low-cost "firewall-like" routers basically have to be shut off to
> allow, say, NetMeeting or audio/video streaming to function. Real
> firewalls handle them securely and without special user requirements. The
> firewall first identifies the packets as coming from a special
> application. It then rewrites and re-routes the packets compatibly with
> both the application and NAT.
>
> Robust processing power. Inexpensive NAT devices typically don't include
> the powerful processors required for "deep packet inspection." Even
> "firewall-like" routers will typically degrade significantly in
> performance if called upon to inspect each packet. Only devices designed
> to be a true firewall contain the muscle needed to combine security and
> performance.
>
> The list of firewall advantages goes on, including detailed logging that
> recognizes and records attacks; centralized management; and, in more
> expensive firewalls, advanced networking features (such as VLAN support
> and Quality of Service), the ability to set different policies for
> multiple networks, time-based policies, and more.
>
> Conclusion
> We hope you now understand the difference between a good-as-far-as-it-
> goes NAT box and the multi-faceted, layered security a firewall can
> offer. Though NAT can provide the equivalent of an "unlisted number" for
> clients on your network, that falls short of complete security. If you're
> serious about protecting your remote users and your network, deploy real
> firewalls -- preferably firewalls certified by a neutral third party,
> such as ICSA labs. The recent Sasser worm spread wildly even though it
> was helpless against firewalls -- which demonstrates afresh that your
> network security is only as good as your remote user security. ##
>
> <snip>
>
> --
> Air America Radio Orlando Petition
> http://www.geocities.com/steve2470/Air_America_Orlando.html
> Thanks for reading !
You have fallen prey to the propoganda of the people selling thousand dollar
firewalls.....
Of course a NAT device will never do the complex checking that a firewall
can do.
NAT devices can be stealth just like firewalls can be. Some NAT boxes are
much more than simple port blockers. You can't simply malign all
NAT/routers.
If you run a business, you need a heavy duty firewall.
If you are a home subscriber, have a good NAT/router that is stealthed
[doesn't respond to pings, or any TCP connection attempt], have a dynamic
IP, and practice safe computing, you are in pretty good shape.
If you are a spy, or a terrorist, or a criminal, the FBI can probably get
past your NAT if they can ID you. Let's hope that they do.
John
-- Check my web site for tips on insuring safe computing in wired and wireless homenetworking environments! www.pccitizen.com You spend your whole life figuring out what you should have done with it, let alone what it was all about. And then your children get to do it all over again.
- Next message: Duane Arnold: "Re: good article on NAT router security"
- Previous message: Michael A. Covington: "Opinions: To NAT or not to NAT?"
- In reply to: steve h.: "good article on NAT router security"
- Next in thread: shopping.nowthor.com: "Re: good article on NAT router security"
- Reply:(deleted message) shopping.nowthor.com: "Re: good article on NAT router security"
- Reply: Duane Arnold: "Re: good article on NAT router security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
