NAT is not a mechanism for securing a network.. but.. HELP!

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Hi all!
First of all I have to say "sorry" for my english.. that sometimes is not
very good.. (I write from italy..)
A question:
I often have to speak with some clients about security (I'm not a
specialist..) ...yesterday a person told me that an ADSL router with a NAT
for separate his private network to public network is a "good" solution for
his security... I know.. that this is a "wrong sentence"

... but... I can
I demostrate the opposite? how can I by-pass a router? it is possible.... I
suppose... any suggestions??
thanks

smax371@hotmail.com

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

But how is this possible?!?!

I mean if you have set up NO port redirection on your router how can
any probe of any kind manage to pass through the router?!?

And also you said that on the host that SQL server was running all
ports were closed as well!

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Well yes, but i was talking that how the probe could manage to be
inserted to the lan through the router considering that the probe
atatck was the one that initiated the connection to the router and not
coming back as a replay to a previous internal infected host request.

Of couse what you descbire its true and it works no matter if the routr
is port forwarding or not.

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

So if the malware use some kind of stelath techniques would bypass the
routers restriction.

But tell us more please abou the tunneling that cannot be stopped.
How does the tunneling scenario work?

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

speeder wrote:

> OTOH, crashing a router is a much "simpler" thing to do depending on
> the router and your resources. And who can guarantee that a crashed
> router will continue to block outside connections? Doubtful but
> possible.

And how can router be crashed? By what way?
Even if it gets amounts of packets tryign to break in it would simply
reject them and only allow those setup in port redirection.

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:

> Most NAT implementations have some weaknesses. First, usually a packet,
> which has a source address, which seems to come from inside the network,
> is accepted and routed inside.

Whats do you mean by that?
If a packet has a source address i must have come form a host indes the
network .
How otherwise. if it came form outside then it wouldnt have a source
address of type 10.0.0.x

> NAT routers with sensible filtering usually provide a high level of
> security. The security then comes from filtering, not from NAT. This
> ist not a design flaw:
>
> Masquerading with NAT never was meant to provide security - it was
> developed in the times, where people were getting short of IP adresses,
> to provide a solution for having more devices than "real" addresses
> in the Internet.

Yes, very turue but by its nature it provides as asideeffect soem means
of security since it hides all hosts on the lan behind 1 single public
ip address

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

In article <KNJOe.27469$HM1.791654@twister1.libero.it>, smax371
@hotmail.com says...
> Hi all!
> First of all I have to say "sorry" for my english.. that sometimes is not
> very good.. (I write from italy..)
> A question:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a NAT
> for separate his private network to public network is a "good" solution for
> his security... I know.. that this is a "wrong sentence"

... but... I can
> I demostrate the opposite? how can I by-pass a router? it is possible.... I
> suppose... any suggestions??
> thanks

NAT is only a simple means of blocking unsolicited inbound connections.
That means that there is no outbound limitation.

NAT is a good for protecting home users networks from uninvited inbound
connections which is a reasonable thing for home users.

--

spam999free@rrohio.com
remove 999 in order to email me

Speeder · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 18:20:26 GMT, "Smax" <smax371@hotmail.com> wrote:

>Hi all!
>First of all I have to say "sorry" for my english.. that sometimes is not
>very good.. (I write from italy..)
>A question:
>I often have to speak with some clients about security (I'm not a
>specialist..) ...yesterday a person told me that an ADSL router with a NAT
>for separate his private network to public network is a "good" solution for
>his security... I know.. that this is a "wrong sentence"

... but... I can
>I demostrate the opposite? how can I by-pass a router? it is possible.... I
>suppose... any suggestions??
>thanks

The reason why a NAT router is not a "good" solution has nothing to do
with the possibility of bypassing it. It is not a "good" solution
because there are *many* attacks that originate from action inside the
internal network. Executing a virus/trojan application, allowing
websites to install/run applications, entering information in
webforms, running unsecured wireless setups, .... The list goes on and
on and a NAT router will do nothing against those.

Bypassing a router, in the sense of making it transparent so you can
freely connect to services on the LAN side, by solely manipulating
packets and flags is not an easy task. You'd have more chances trying
to access it's remote configuration feature (*if* you were lucky it's
enabled) and brute force the password with a dictionary attack of some
kind (double lucky!). That's the only feasible scenario I can think of
but very unlikely, even for home users.

OTOH, crashing a router is a much "simpler" thing to do depending on
the router and your resources. And who can guarantee that a crashed
router will continue to block outside connections? Doubtful but
possible.

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

"Smax" <smax371@hotmail.com> wrote in
news:KNJOe.27469$HM1.791654@twister1.libero.it:

> Hi all!
> First of all I have to say "sorry" for my english.. that sometimes is
> not very good.. (I write from italy..)
> A question:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a
> NAT for separate his private network to public network is a "good"
> solution for his security... I know.. that this is a "wrong sentence"
>

... but... I can I demostrate the opposite? how can I by-pass a
> router? it is possible.... I suppose... any suggestions??
> thanks
>
> smax371@hotmail.com
>
>
>
>

All you have to do is write a program a listening server program and
install it on the computer behind the router. Then you write a client
program and install it on a remote/Internet computer and have the server
program send outbound traffic to the remote IP making contact with the
remote client program. The NAT router (most NAT routers for home usage)
is not going to be able to stop the contact or traffic by setting rules
to stop the traffic.

Most NAT routers stop unsolicited inbound traffic by not forwarding the
traffic to the LAN behind the router. Yes, a NAT router has two
interfaces the WAN/Internet network interface the NAT router is
protecting from and LAN interface the network it's protecting.

A device such as a NAT router that is also running network FW software
would be able to stop inbound and outbound traffic by setting filtering
rules to stop the traffic by port, protocol, IP or packet attribute/
state.

As an example, you could install Gibson's *Leaktest* program on a machine
and allow it to phone home and see of the NAT router can stop the traffic
inbound or outbound by setting filtering rules to stop the outbound from
the LAN/IP/machine behind the router to the remote/Internet/IP or stop
inbound from the remote/Internet/IP.

The NAT router separates two networks usually the Internet and the LAN
behind the router and NAT provides a limited means of protecting the LAN
by not forwarding unsolicited inbound request. But NAT is not FW software
where one can set filtering rules to control traffic. Also, most NAT
routers for home usage don't provide traffic logging so one could see if
dubious inbound or outbound traffic to a remote IP was even happening.

So if malware was to be installed on a machine behind the NAT router and
started phoning home, most NAT routers are not going to be to stop the
malware and Leaktest will show you that. A router running network FW
software would be able to stop the traffic.

However, a NAT router is a good first line of defense for the home user.

Duane

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

CyberDroog <CyberDroog@ClockworkOrange.com> wrote in
news:jlumg11fep6415tlo5t74a841vmcodjme1@news.easynews.com:

>
> All you have to do is write and install a program *behind* the router?
> That isn't exactly a straight-forward answer to the question of how to
> *by-pass* a router.

Is it or is it not away of bypassing the protection of the router?

You got a better way of directly attacking a NAT router, then let's see.

Duane

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Oh, I am sure there are other ways of attacking a NAT router. I am not up
to speed on that as I am not one who would do such a thing in the first
place. I can certainly verify that they can be attacked. At least my old
Linksys NAT router was attacked as probes came through it at SQL Server
running on the machine with all ports closed by default with no port
forwarding or nothing on the router, like a hot knife through butter.

Duane

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

"Nicky" <hackeras@gmail.com> wrote in message
news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
> But how is this possible?!?!

>
> I mean if you have set up NO port redirection on your router how can
> any probe of any kind manage to pass through the router?!?
>
> And also you said that on the host that SQL server was running all
> ports were closed as well!

Well the firmware for the 11S4 router has no FW like software like SPI so it
wasn't and is not doing packet inspection. The packets could be spoofed and
bogus packets slipped in I guess. I read an article Watchguard put out
awhile back about how NAT routers can be attacked. You should be able to
find such information on with Google. The machine that is running SQL Server
is up 24/7 365 and what altered me to the situation was BlackIce at the
time when I was using BI with it set properly out of its auto settings to
supplement the NAT router when Linksys removed SPI from the firmware for all
BEFW11S4 version routers.

Duane

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

In article <1124832068.019507.164860@g44g2000cwa.googlegroups.com>,
hackeras@gmail.com says...
> But how is this possible?!?!

>
> I mean if you have set up NO port redirection on your router how can
> any probe of any kind manage to pass through the router?!?
>
> And also you said that on the host that SQL server was running all
> ports were closed as well!

All it takes is the host (inside the network) to contact the hacker site
for instructions, and you are done.

So, what we mean is that your machine is compromised with something that
phones-home for instructions - your NAT router, which allows ALL
outbound does not stop the virus/worm since it's already inside your
network - it calls home to get more things/instructions and starts
spreading out over ports 135~139 & 445 since your NAT router doesn't
block those outbound either (by default).

--

spam999free@rrohio.com
remove 999 in order to email me

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

In article <1124836347.367236.287320@o13g2000cwo.googlegroups.com>,
hackeras@gmail.com says...
> Well yes, but i was talking that how the probe could manage to be
> inserted to the lan through the router considering that the probe
> atatck was the one that initiated the connection to the router and not
> coming back as a replay to a previous internal infected host request.
>
> Of couse what you descbire its true and it works no matter if the routr
> is port forwarding or not.

Not it doesn't work always - as a simple rule, when I setup NAT Routers,
the cheap ones that pretend to be firewalls, I block outbound to
destination ports 135 through 139, 445, 1433, 1434.

While this helps the chatter, it can also keep some viruses from
spreading outside your network to the Internet.

--

spam999free@rrohio.com
remove 999 in order to email me

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

In article <1124838075.026460.272410@f14g2000cwb.googlegroups.com>,
hackeras@gmail.com says...
> And how can router be crashed? By what way?
> Even if it gets amounts of packets tryign to break in it would simply
> reject them and only allow those setup in port redirection.

You might want to search google for that one - isn't not so much that it
can be done, it's what state is the forwarding/routing left in when it
does fault.

--

spam999free@rrohio.com
remove 999 in order to email me

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Smax <smax371@hotmail.com> wrote:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a NAT
> for separate his private network to public network is a "good" solution for
> his security... I know.. that this is a "wrong sentence"

... but... I can
> I demostrate the opposite? how can I by-pass a router? it is possible.... I
> suppose... any suggestions??

Most NAT implementations have some weaknesses. First, usually a packet,
which has a source address, which seems to come from inside the network,
is accepted and routed inside.

This is, why one wants to filter such packages on NAT boxes.

Additionally, usually NAT implementations have some state machines or
even heuristics for tracking protocols, which are not just simply NATable.
Frequent examples for this are FTP, connectionless or encrypted protocols.

(to clarify: I mean masquerading with NAT here)

This often results in attacking vectors, how to fake a connection wich
does not exist, and how to insert packages, which are accepted and
routed inside.

NAT routers with sensible filtering usually provide a high level of
security. The security then comes from filtering, not from NAT. This
ist not a design flaw:

Masquerading with NAT never was meant to provide security - it was
developed in the times, where people were getting short of IP adresses,
to provide a solution for having more devices than "real" addresses
in the Internet.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:

Volker, have you considered writing one of those "NAT for Dummies" kind of
books? This has been the clearest and simplest explanation of how NAT
routers function that I have seen anywhere.

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

In article <1124838620.861297.91990@g44g2000cwa.googlegroups.com>,
hackeras@gmail.com says...
> Yes, very turue but by its nature it provides as asideeffect soem means
> of security since it hides all hosts on the lan behind 1 single public
> ip address

You mistakenly believe that security is some how related to a normal
network function of routing. In the case of NAT, it could be a 1:1 NAT
which would not provide any protection, a 1:MANY NAT, or a MANY to MANY
NAT.....

NAT is not a security means/method, it's a routing method that appears
to have some partial security benefits.

--

spam999free@rrohio.com
remove 999 in order to email me

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> NAT is not a security means/method, it's a routing method that appears
> to have some partial security benefits.

Well, thats what i said in other words.

NAT provides some simple means of security as a *sideffect* considering
that its true nature by design was to solve the shortage of ip problem
and not security.

Nicky · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> Nicky <hackeras@gmail.com> wrote:
> > And how can router be crashed? By what way?
>
> If it does NAT/masquerading, a DoS attack is very easy from inside. Just
> exploit the maximum size of the NAT table by flooding with packages opening
> a huge number of connections.

Yes but in order to crash it this way you must attack it from the
inside.
But how youy will be able to do that from the inside?
Yiu must somwhow infect an internal host to do that and that means you
have to pass from the router first somehow.

And also i would like to ask if a router gets crushes what does that
mean?
Thats it stops responding and therefore stop blocking unsolicited
inbound connections so one could slip in?

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
>Nope, I think you assumed that the internet, from work, should not be
>restricted to anyone?
>
>In reality there are very few businesses that need to provide ANY
>internet access to employees while at work. Even ones that need internet
>access only need limited access in almost every case.

You've stated that several times in various articles. It is a
bogus claim which assumes that every business is the same as
yours apparently is. But other businesses have honest,
intelligent and dilligent workers who need to get work done in
the most efficient and effective way possible, which often means
unrestricted access to the Internet.

Despite your bogus claims, before I retired I worked for a
company that believed exactly the opposite of what you say. I
had absolute total access to the Internet, as did virtually
*all* employees. That didn't mean I wasted company time doing
personal business on the Internet. I also had unlimited access
to a telephone with unlimited toll access too. And I had
unlimited access to company mail (USPS) and to a company
vehicle. Typically most emplyees did, and there were very few
abuses.

That was not a small company, and they actually have a senior
managment position in charge of all network security. That
person literally wrote the book on Internet security...

I had always thought he got it pretty much right, yet here you
are saying he was wrong.

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Nicky <hackeras@gmail.com> wrote:
> So if the malware use some kind of stelath techniques would bypass the
> routers restriction.
> But tell us more please abou the tunneling that cannot be stopped.
> How does the tunneling scenario work?

A classic szenario includes simulating an HTTPS connection, and
tunneling SSH through, and through SSH any other protocols.

http://www.agroman.net/corkscrew/

If HTTPS is not possible, there are several other technics; among
them the wwwsh, which tunnels a simple remote control through HTTP.
Or you could use just this:

http://www.nocrew.org/software/httptunnel.html

A thing, which works, if you have DNS, is DNS tunneling; but it's
very slow and low bandwidth, so one would use that only, if there
are no other choices (mostly there are any). Try NSTX.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> You have to be able to block outbound
> connections to have any notion of security.

This is not reliably possible. There is tunneling.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Renegade <not.v@lid.net> wrote:
> On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:
> Volker, have you considered writing one of those "NAT for Dummies" kind of
> books? This has been the clearest and simplest explanation of how NAT
> routers function that I have seen anywhere.

Thanx!

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Guest · Aug 24, 2005

Archived from groups: comp.security.firewalls (More info?)

Nicky <hackeras@gmail.com> wrote:
> If a packet has a source address i must have come form a host indes the
> network .

No, unfortunately not. The source address can be just a fake.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

NAT is not a mechanism for securing a network.. but.. HELP!

Guest

Guest

Distinguished

Distinguished

Distinguished

Distinguished

Distinguished

Guest

Guest

Distinguished

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Distinguished

Distinguished

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Guest

Share this page