Re: NAT is not a mechanism for securing a network.. but.. HELP!
From: Stuart McGraw (smcg4191zz_at_friizz.RimoovAllZZs.com)
Date: 08/24/05
- Next message: Moe Trin: "Re: Nmap questions concering my router"
- Previous message: Charles Newman: "Re: Is There a Virus that Breaks DNS?"
- In reply to: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Volker Birk: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Aug 2005 13:26:31 -0600
"Duane Arnold" <notme@notme.com> wrote in message news:Xns96BC14CD7E264notmenotmecom@63.240.76.16...
> "Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
> news:11go2gq2n2d2h42@corp.supernews.com:
>
> > "Duane Arnold" <Notme@Notme.com> wrote in message
> > news:7QMOe.302032$xm3.164076@attbi_s21...
> >>
> >> "Nicky" <hackeras@gmail.com> wrote in message
> >> news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
> >> > But how is this possible?!?! :-)
> >> >
> >> > I mean if you have set up NO port redirection on your router how
> >> > can any probe of any kind manage to pass through the router?!?
> >> >
> >> > And also you said that on the host that SQL server was running all
> >> > ports were closed as well!
> >>
> >> Well the firmware for the 11S4 router has no FW like software like
> >> SPI so it wasn't and is not doing packet inspection. The packets
> >> could be spoofed and bogus packets slipped in I guess. I read an
> >> article Watchguard put out awhile back about how NAT routers can be
> >> attacked. You should be able to find such information on with Google.
> >> The machine that is running SQL Server is up 24/7 365 and what
> >> altered me to the situation was BlackIce at the time when I was using
> >> BI with it set properly out of its auto settings to supplement the
> >> NAT router when Linksys removed SPI from the firmware for all
> >> BEFW11S4 version routers.
> >>
> >> Duane :)
> >
> > I just came across this thread but I've been interested in learning
> > more about the security (or lack thereof) of NAT for a long time.
> >
> > I found (I think) the Watchguard paper mentioned above
> > (https://www.watchguard.com/docs/whitepaper/RealFirewall_wp.pdf)
> > It is the expected collection of FUD, bogus statistics, illogical and
> > unsupported conclusions, irrelevant scare stories, and strawman
> > arguments that one would expect (they do after all want you to buy
> > one of their firewalls).
>
> The link above is NOT the article I was talking about which came as an
> email to me when I subscribed to WG's customer support.
>
> Not to be smart here, but you're some kind of expert? I would like to see
> you counter those claims with some facts even in the above link instead of
> coming up with this, that and the other as to what you think WG or any
> other FW appliance solution vendor is suppose to be up to with some kind of
> scare tactics, FUD or whatever else. :)
>
> > But there was one claim that sounded like a serious problem for NAT
> > devices if true... They said:
> > "[There are hacker tools for...] Exploiting open ports. Once a NAT
> > device opens a port by putting it in the NAT table, all traffic
> > destined to that port is allowed through to the local computer
> > identified in the table. Hackers use automated programs to guess which
> > ports NAT has opened, and they keep trying until they get through."
> >
> > Can anybody point me to some reliable documentation on this?
>
> And that's most likely what happened to my setup using SQL Server as each
> time the attack happened behind the Linksys NAT router with no SPI, I had
> left the machine a Windows NT based O/S using a NG reader on an open NG
> article with port 119 open. The machine went into a lockout mode with port
> 119 open for long periods of time hours and hours before I came back to the
> machine. Under those circumstances did BlackIce ever sound off about probes
> reaching the machine and altered and *blocked* them on the SQL Server port
> being probed.
>
> I left BI on the machine for a long time period behind the WG for the above
> conditions to see what would happen and BI never altered. So, I removed BI
> from the computer. However, I get lots of unsolicited inbound traffic that
> is being blocked by the WG every time I leave any machine on my network in
> the above state, even my laptop has SQL Server running and BlackIce is
> still on that machine and active for its mobile ability in connecting to
> networks other than my own and BI has not sounded off, which probes for SQL
> Server reached that machine too. I am sure nothing is going to come through
> like it did with the Linksys.
>
> Duane :)
Duane,
First, thanks for your response, it was interesting and helpful. But I think
I would still like to find something more concrete, like actual exploit code,
an analysis of such code, or an analysis (at the packet level) of an actual
attack.
Nope, I am definitely not an expert -- I am just looking for some reliable
info. For years I have heard people claim that NAT could be circumvented
but I have yet to see any real proof of this (although I have not spent much
time looking.)
If you ever come across the paper you read, I would love to get a pointer
to it.
As for the Watchguard white paper, I my point was that it is a marketing paper,
not an objective, factual, neutral, report on the differences between NAT routers
and "real firewalls" [sic] and as such, may be a source for questions to look into,
but not of answers.
Since you asked for some specific criticisms...
They debunk the myth that a NAT router provides as strong security as a
"real firewall". Maybe some people claim that. I wouldn't, and don't know anyone
who would. What I have heard is the claim that NAT security is "good enough"
in some environments so I think WG's "myth" is a strawman argument.
They mention pings and then say "NAT devices, however, respond, letting
the hacker know he's found a live connection and an easy way in to the
network." Exactly how does a ping response indicate an ***easy*** (my emphasis)
way into the network?
They say "Clearly the cost to protect against the probability of attack is far
less than the cost of clean up", based on an estimate that 40% of small
businesses each year have intrusions and another estimate that the average
cost per intrusion is $150K. But even if one takes the provided numbers at
face value, the latter figure is (AFAICT) for ***all*** businesses (large and small).
I would guess that intrusion incidents in large companies are much more expensive
than in small companies, so the conclusion is not at all that "clear" to me.
They say:
"Interestingly, hackers have developed attacks specifically for NAT devices,
including:" and go on to say that one of these is trying the manufacture's
default password on a network accessible admin port. This is "NAT-specific"?
And although a design that permits use without forcing a password change
from the default value is not very good, it is a trivial problem to deal with
(change the damn password!) and hardly a reason not to buy a device, let
alone a whole class of devices.
This is just a small sample of what I was talking about, it would take a
day or more to go though the whole paper, and pick out all the incidences
of slanted presentation.
Lest I be misunderstood, I am not saying that NAT is as secure as a good
well configured firewall, that WG products are bad, that firewalls are useless,
or even that particular white paper is exceptionally bad. All I am saying
is that it is a typical marking whitepaper, designed to sell the company's
products and does not present a fair picture of the security differences
between NAT routers and firewalls.
- Next message: Moe Trin: "Re: Nmap questions concering my router"
- Previous message: Charles Newman: "Re: Is There a Virus that Breaks DNS?"
- In reply to: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Duane Arnold: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Volker Birk: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
