Re: NAT is not a mechanism for securing a network.. but.. HELP!
From: Duane Arnold (notme_at_notme.com)
Date: 08/24/05
- Next message: GuitarMan: "Re: Earn 12% daily of your investment!!!"
- Previous message: Moe Trin: "Re: Is There a Virus that Breaks DNS?"
- In reply to: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Aug 2005 20:33:54 GMT
"Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
news:11gpifl69u6r6b1@corp.supernews.com:
> "Duane Arnold" <notme@notme.com> wrote in message
> news:Xns96BC14CD7E264notmenotmecom@63.240.76.16...
>> "Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote in
>> news:11go2gq2n2d2h42@corp.supernews.com:
>>
>> > "Duane Arnold" <Notme@Notme.com> wrote in message
>> > news:7QMOe.302032$xm3.164076@attbi_s21...
>> >>
>> >> "Nicky" <hackeras@gmail.com> wrote in message
>> >> news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
>> >> > But how is this possible?!?! :-)
>> >> >
>> >> > I mean if you have set up NO port redirection on your router how
>> >> > can any probe of any kind manage to pass through the router?!?
>> >> >
>> >> > And also you said that on the host that SQL server was running
>> >> > all ports were closed as well!
>> >>
>> >> Well the firmware for the 11S4 router has no FW like software like
>> >> SPI so it wasn't and is not doing packet inspection. The packets
>> >> could be spoofed and bogus packets slipped in I guess. I read an
>> >> article Watchguard put out awhile back about how NAT routers can
>> >> be attacked. You should be able to find such information on with
>> >> Google. The machine that is running SQL Server is up 24/7 365 and
>> >> what altered me to the situation was BlackIce at the time when I
>> >> was using BI with it set properly out of its auto settings to
>> >> supplement the NAT router when Linksys removed SPI from the
>> >> firmware for all BEFW11S4 version routers.
>> >>
>> >> Duane :)
>> >
>> > I just came across this thread but I've been interested in learning
>> > more about the security (or lack thereof) of NAT for a long time.
>> >
>> > I found (I think) the Watchguard paper mentioned above
>> > (https://www.watchguard.com/docs/whitepaper/RealFirewall_wp.pdf)
>> > It is the expected collection of FUD, bogus statistics, illogical
>> > and unsupported conclusions, irrelevant scare stories, and strawman
>> > arguments that one would expect (they do after all want you to buy
>> > one of their firewalls).
>>
>> The link above is NOT the article I was talking about which came as
>> an email to me when I subscribed to WG's customer support.
>>
>> Not to be smart here, but you're some kind of expert? I would like
>> to see you counter those claims with some facts even in the above
>> link instead of coming up with this, that and the other as to what
>> you think WG or any other FW appliance solution vendor is suppose to
>> be up to with some kind of scare tactics, FUD or whatever else. :)
>>
>> > But there was one claim that sounded like a serious problem for NAT
>> > devices if true... They said:
>> > "[There are hacker tools for...] Exploiting open ports. Once a NAT
>> > device opens a port by putting it in the NAT table, all traffic
>> > destined to that port is allowed through to the local computer
>> > identified in the table. Hackers use automated programs to guess
>> > which ports NAT has opened, and they keep trying until they get
>> > through."
>> >
>> > Can anybody point me to some reliable documentation on this?
>>
>> And that's most likely what happened to my setup using SQL Server as
>> each time the attack happened behind the Linksys NAT router with no
>> SPI, I had left the machine a Windows NT based O/S using a NG reader
>> on an open NG article with port 119 open. The machine went into a
>> lockout mode with port 119 open for long periods of time hours and
>> hours before I came back to the machine. Under those circumstances
>> did BlackIce ever sound off about probes reaching the machine and
>> altered and *blocked* them on the SQL Server port being probed.
>>
>> I left BI on the machine for a long time period behind the WG for the
>> above conditions to see what would happen and BI never altered. So, I
>> removed BI from the computer. However, I get lots of unsolicited
>> inbound traffic that is being blocked by the WG every time I leave
>> any machine on my network in the above state, even my laptop has SQL
>> Server running and BlackIce is still on that machine and active for
>> its mobile ability in connecting to networks other than my own and BI
>> has not sounded off, which probes for SQL Server reached that machine
>> too. I am sure nothing is going to come through like it did with the
>> Linksys.
>>
>> Duane :)
>
> Duane,
>
> First, thanks for your response, it was interesting and helpful. But
> I think I would still like to find something more concrete, like
> actual exploit code, an analysis of such code, or an analysis (at the
> packet level) of an actual attack.
>
> Nope, I am definitely not an expert -- I am just looking for some
> reliable info. For years I have heard people claim that NAT could be
> circumvented but I have yet to see any real proof of this (although I
> have not spent much time looking.)
>
> If you ever come across the paper you read, I would love to get a
> pointer to it.
>
> As for the Watchguard white paper, I my point was that it is a
> marketing paper, not an objective, factual, neutral, report on the
> differences between NAT routers and "real firewalls" [sic] and as
> such, may be a source for questions to look into, but not of answers.
>
> Since you asked for some specific criticisms...
> They debunk the myth that a NAT router provides as strong security as
> a "real firewall". Maybe some people claim that. I wouldn't, and
> don't know anyone who would. What I have heard is the claim that NAT
> security is "good enough" in some environments so I think WG's "myth"
> is a strawman argument.
>
> They mention pings and then say "NAT devices, however, respond,
> letting the hacker know he's found a live connection and an easy way
> in to the network." Exactly how does a ping response indicate an
> ***easy*** (my emphasis) way into the network?
Well I can say this, I went to a site that did ping testing with the
Linksys NAT router at the time and the machines behind the router
responded to the ping test. I had to go to the BlackIce firewall.ini file
on the machine and set an ICMP rule in the file to get the machines to
not respond and pass the tests.
As opposed to using the WG I now use, and I can check on the rule *Do
not respond to the Ping requests received on the External Network*.
I see the WG responding to the in the WatchGuard syslog by using
Wallwatcher by passing the inbound request as indicated by a red "P" in
the logs but no machine behind the router is responding with outbound
when it happens. This happens in the syslog on a routine basis.
Not once did the Linksys NAT router in its syslog using Wallwatcher
indicate any ping attempts. Nor did BI show in its logs that it was not
responding, but BI did allow me to pass the above ping test and I'll
assume that BI was doing its job at the time.
>
> They say "Clearly the cost to protect against the probability of
> attack is far less than the cost of clean up", based on an estimate
> that 40% of small businesses each year have intrusions and another
> estimate that the average cost per intrusion is $150K. But even if
> one takes the provided numbers at face value, the latter figure is
> (AFAICT) for ***all*** businesses (large and small). I would guess
> that intrusion incidents in large companies are much more expensive
> than in small companies, so the conclusion is not at all that "clear"
> to me.
Whatever the cost is it cast and a hassle anyway one looks at it.
>
> They say:
> "Interestingly, hackers have developed attacks specifically for NAT
> devices, including:" and go on to say that one of these is trying the
> manufacture's default password on a network accessible admin port.
> This is "NAT-specific"? And although a design that permits use
> without forcing a password change from the default value is not very
> good, it is a trivial problem to deal with (change the damn password!)
> and hardly a reason not to buy a device, let alone a whole class of
> devices.
NAT routers do have remote admin capabilities and if it not protected
properly and most don't apparently particularly in a small bossiness or
home LAN situation, the network can be compromised.
>
> This is just a small sample of what I was talking about, it would take
> a day or more to go though the whole paper, and pick out all the
> incidences of slanted presentation.
I see those as facts. And you're going to have to come up with some kind
of sold evidence to prove otherwise. And again, that was not the white
paper or article I got from WG that I have mentioned and the paper was
not trying to sell anything or slant presentation as you put it.
>
> Lest I be misunderstood, I am not saying that NAT is as secure as a
> good well configured firewall, that WG products are bad, that
> firewalls are useless, or even that particular white paper is
> exceptionally bad. All I am saying is that it is a typical marking
> whitepaper, designed to sell the company's products and does not
> present a fair picture of the security differences between NAT routers
> and firewalls.
>
My WG uses NAT too because it must map external IP traffic to internal
LAN IP(s) and is mapping technology. NAT by itself is a very limited
means of protection from the Internet. I myself would use a NAT router e
backed by a personal FW solution in the home. I would never use a NAT
router that just had NAT to protect a business situation, which is what
that Linksys router turned out to be once SPI was removed -- a simple NAT
router device. None of the cheap D-link, Belkin, Netgear, Linksys or
otherwise low-end models would I use to protect a business. But that's
just me.
Duane :)
- Next message: GuitarMan: "Re: Earn 12% daily of your investment!!!"
- Previous message: Moe Trin: "Re: Is There a Virus that Breaks DNS?"
- In reply to: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Next in thread: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Reply: Stuart McGraw: "Re: NAT is not a mechanism for securing a network.. but.. HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
