Re: NAT is not a mechanism for securing a network.. but.. HELP!

From: Stuart McGraw (smcg4191zz_at_friizz.RimoovAllZZs.com)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 12:11:38 -0600

"Volker Birk" <bumens@dingens.org> wrote in message news:430d5bf7@news.uni-ulm.de...
> Stuart McGraw <smcg4191zz@friizz.rimoovallzzs.com> wrote:
> > Nope, I am definitely not an expert -- I am just looking for some reliable
> > info. For years I have heard people claim that NAT could be circumvented
> > but I have yet to see any real proof of this (although I have not spent much
> > time looking.)
>
> Just try it yourself. Take a simple masquerading device, send from outside
> a spoofed packet, which seems to come from inside, and sniff inside, if the
> packet is routed. There is enough spoofing software in the wild, so you
> can hack this simple task with BSD sockets yourself, or you could use
> ready-made software to generate the packets.

I'll try if I can, but the only outside network I have access to right now
is my ISPs and I think they do ingress/egress filtering so I may not be able
to. However you and a couple other people have said this is true and
it sounds reasonable to me... I was not aware that this was the case.

> > They debunk the myth that a NAT router provides as strong security as a
> > "real firewall". Maybe some people claim that. I wouldn't, and don't know anyone
> > who would.
>
> Together with clever filtering, a NAT router can provide good security
> against such attacks.
>
> > They mention pings and then say "NAT devices, however, respond, letting
> > the hacker know he's found a live connection and an easy way in to the
> > network." Exactly how does a ping response indicate an ***easy*** (my emphasis)
> > way into the network?
>
> It doesn't. This is only nonsense. People, who are blocking ICMP echo,
> don't understand the TCP/IP network protocol family. That's all.
>
> Those people usually think that you could "stealth" your computer by doing
> this, making it "invisible" in the Internet.
>
> This is monkey business. The reason is, that they did not understand TCP
> nor IP or ICMP, because:
>
> If there is really no computer at a specific IP address, you're getting
> a packet back!
>
> Why?
>
> The router before the non-existing PC then is sending an ICMP packet,
> either which means "no computer here", or which means "the complete
> network is not here, so there cannot be a computer" (ICMP destination
> unreachable message with code 0 or 1, see RFC 792, STD 0005).
>
> So getting no information back is a sure sign, that there _is_ a computer
> on the other side, and it's running braindead "security" software like
> Zonealarm ;-)
>
> > "Interestingly, hackers have developed attacks specifically for NAT devices,
> > including:" and go on to say that one of these is trying the manufacture's
> > default password on a network accessible admin port. This is "NAT-specific"?
> Of course not.
>
> > Lest I be misunderstood, I am not saying that NAT is as secure as a good
> > well configured firewall, that WG products are bad, that firewalls are useless,
> > or even that particular white paper is exceptionally bad. All I am saying
> > is that it is a typical marking whitepaper, designed to sell the company's
> > products and does not present a fair picture of the security differences
> > between NAT routers and firewalls.
>
> Firewall is a term, most people use other than it was intended.

I always thought a firewall was anything that enforced a security poilicy
between two networks. So the issue is what security policy is appropriate,
and what hardware/software most reliably and cost effectively implements
that policy, not the name a vendor decided to give a box. I have always
been a little annoyed the the term "real firewall" for that reason.

> "Personal Firewalls" like Zonelabs or Symantec are selling, are anything
> else, but not Firewalls.
>
> Usually, they're host based port filertes, badly implemented compared to
> i.e. the Windows-Firewall (which is also not a firewall, but a simple
> host based packet filter, but which is OK in the way, that it works good),
> combinded with a lot of bells and whistles, to make users feel a false
> sense of security. The rest of the features of the "Personal Firewalls"
> have a placebo effect, one can say.
>
> So it is with the "stealth" feature. And it's not the worst thing -
> some features of the "Personal Firewalls" are even worse, they're making
> the PC more insecure and not more secure, they should protect.
>
> Those features are for example windows opened from system services or
> even the possibility to filter out your secrets like a PIN for your
> banking account from every network traffic.
>
> The latter for example is so dangerous, that it is like publicizing your
> PIN to everybody, who has a webserver you're looking at pages from.
>
> Why?
>
> Send inside HTML all numbers between 0000 and 9999 (hey, these are only
> 10.000 numbers, no problem) to the Browser of the user as content i.e.
> inside invisible form fields. The one number, which is missing, when the
> user sends back the form, is the PIN. ;-)
>
> People, who are selling _this_ to you as a security feature (like
> Symantec or Zonelabs and so on) have understood really _nothing_
> about security.
>
> They're just the same people, who're making your PC "invisble" in the
> Internet, because they're filtering ICMP echo ;-)
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

Interesting, thanks!

Relevant Pages

  • Re: [9fans] Do we have a catalog of 9P servers?
    ... network layer data units, ergo, NAT again. ... The "packet ...
    (comp.os.plan9)
  • Re: How to get my Dads Win2k system to access internet through my FreeBSD 6.2 system
    ... Windows 2000 machine with a network card but does not have a connection ... establish that there exists basic network connectivity between your ... you will want to configure your FreeBSD machine as a NAT gateway. ... of NAT functionality is usually a function contained within a firewall. ...
    (freebsd-questions)
  • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
    ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
    (microsoft.public.security)
  • Re: Firewall Questions
    ... No firewall. ... > sketch their idea of what they saw as a new network plan. ... > They want this firewall to be in NAT mode where everything in the LAN ...
    (comp.security.firewalls)
  • Re: NAT vs. True Firewalls
    ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ...
    (comp.security.firewalls)