Re: NAT is not a mechanism for securing a network.. but.. HELP!

From: Duane Arnold (notme_at_notme.com)
Date: 08/24/05 

Date: Wed, 24 Aug 2005 07:02:43 GMT

"Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
news:11go2gq2n2d2h42@corp.supernews.com:

>
> "Duane Arnold" <Notme@Notme.com> wrote in message
> news:7QMOe.302032$xm3.164076@attbi_s21...
>>
>> "Nicky" <hackeras@gmail.com> wrote in message
>> news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
>> > But how is this possible?!?! :-)
>> >
>> > I mean if you have set up NO port redirection on your router how
>> > can any probe of any kind manage to pass through the router?!?
>> >
>> > And also you said that on the host that SQL server was running all
>> > ports were closed as well!
>>
>> Well the firmware for the 11S4 router has no FW like software like
>> SPI so it wasn't and is not doing packet inspection. The packets
>> could be spoofed and bogus packets slipped in I guess. I read an
>> article Watchguard put out awhile back about how NAT routers can be
>> attacked. You should be able to find such information on with Google.
>> The machine that is running SQL Server is up 24/7 365 and what
>> altered me to the situation was BlackIce at the time when I was using
>> BI with it set properly out of its auto settings to supplement the
>> NAT router when Linksys removed SPI from the firmware for all
>> BEFW11S4 version routers.
>>
>> Duane :)
>
> I just came across this thread but I've been interested in learning
> more about the security (or lack thereof) of NAT for a long time.
>
> I found (I think) the Watchguard paper mentioned above
> (https://www.watchguard.com/docs/whitepaper/RealFirewall_wp.pdf)
> It is the expected collection of FUD, bogus statistics, illogical and
> unsupported conclusions, irrelevant scare stories, and strawman
> arguments that one would expect (they do after all want you to buy
> one of their firewalls).

The link above is NOT the article I was talking about which came as an
email to me when I subscribed to WG's customer support.

Not to be smart here, but you're some kind of expert? I would like to see
you counter those claims with some facts even in the above link instead of
coming up with this, that and the other as to what you think WG or any
other FW appliance solution vendor is suppose to be up to with some kind of
scare tactics, FUD or whatever else. :)

 
>
> But there was one claim that sounded like a serious problem for NAT
> devices if true... They said:
> "[There are hacker tools for...] Exploiting open ports. Once a NAT
> device opens a port by putting it in the NAT table, all traffic
> destined to that port is allowed through to the local computer
> identified in the table. Hackers use automated programs to guess which
> ports NAT has opened, and they keep trying until they get through."
>
> Can anybody point me to some reliable documentation on this?

And that's most likely what happened to my setup using SQL Server as each
time the attack happened behind the Linksys NAT router with no SPI, I had
left the machine a Windows NT based O/S using a NG reader on an open NG
article with port 119 open. The machine went into a lockout mode with port
119 open for long periods of time hours and hours before I came back to the
machine. Under those circumstances did BlackIce ever sound off about probes
reaching the machine and altered and *blocked* them on the SQL Server port
being probed.

I left BI on the machine for a long time period behind the WG for the above
conditions to see what would happen and BI never altered. So, I removed BI
from the computer. However, I get lots of unsolicited inbound traffic that
is being blocked by the WG every time I leave any machine on my network in
the above state, even my laptop has SQL Server running and BlackIce is
still on that machine and active for its mobile ability in connecting to
networks other than my own and BI has not sounded off, which probes for SQL
Server reached that machine too. I am sure nothing is going to come through
like it did with the Linksys.

Duane :)
    

Relevant Pages

  • RE: cant access others computer anymore
    ... Lots of Access Point has Router function and may have build-in NAT support. ... only HTTP package from port 80) ... | When implementing a wireless solution you usually buy an ADSL ...
    (microsoft.public.windowsxp.general)
  • Re: Stateful Packet Inspection Firewall
    ... you need a router with NAT to establish multiple machines to use one public ... An SPI firewall will help to keep out hackers/crackers and you will ... not application based but port based. ...
    (comp.security.firewalls)
  • Re: How did they get past my NAT?
    ... network), I get no response, because there is no "Default host" set up ... behind my NAT, and no port forwarding for that port - if an explicit ... as I understand?), and not forwarded on the router, so there should be ...
    (comp.security.firewalls)
  • Re: Port Filtering - Got it & Follow-up
    ... The key is that basic NAT built into a c/d router will stop ... Since your router does have port filters however, ... You can add additional packet filters to keep someone from using ...
    (comp.security.firewalls)
  • Re: NAT vs Firewall
    ... SPI will help in logging, email alerts and stopping hacker attempts. ... Your NAT router might do this already as it may have other coding to see spoof, ... Firewall Type ...
    (comp.security.firewalls)