nanog mailing list archives

Re: Is NAT can provide some kind of protection?

From: Douglas Otis <dotis () mail-abuse org>
Date: Fri, 14 Jan 2011 18:52:09 -0800

On 1/14/11 4:10 PM, William Herrin wrote:

On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong<owen () delong com>  wrote:

Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing.

As for strictly passive attacks, like the so-called drive by download,
it is not obvious to me that they would operate differently in a NAT
versus non-NAT stateful firewall environment. Please elucidate.

Systems having poor integrity are often _incorrectly_ considered 'safe'behind typical firewalls, but their exposure often includes more thanjust IP address contacted in a URI. Once initiated, often internalhosts remain connected with any IP address on non-symmetric NATs forsome period beyond an initial exchange. A behavior promoted to supportteredo, for example. Don't think no one is using IPv6, even when thereis only IPv4 access.


http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

Explain how [NAT] acts as an enabler.

Consider the impact the typical NAT or "firewall" has on DNS.

Hi Doug,

You'd make the argument that NAT aggravates Kaminsky? If you have
something else in mind, I'll have to ask you to spell it out for me.

Many of these products themselves are insecure due to bugs in theirreference design dutifully replicated by CPE manufactures. Thesedevices often keep no logs, and might even redirect specific DNS querieswhen owned, where a power-cycling removes all evidence. Even Ciscofirewalls were mapping a range of IP addresses, rather than portmapping, and exposed systems unable to endure this type of exposure tothe Internet. While it is possible to have a well implemented NAT,many are unable to support DNS TCP exchanges or handle DNSsec. The samedevices often restrict port ranges, where prior access to an attacker'sauthoritative servers gives significant poisoning clues on subsequentexchanges driven by injected iFrames. A system not safe on theInternet, often is also not safe behind the typical CPE NAT/firewall.


-Doug

Current thread:

Re: Is NAT can provide some kind of protection?, (continued)
- - - Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
    - RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)
    - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
    - Re: Is NAT can provide some kind of protection? Joel Jaeggli (Jan 15)
    - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
    - Re: Is NAT can provide some kind of protection? Marshall Eubanks (Jan 15)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
    - Re: Is NAT can provide some kind of protection? Stephen Davis (Jan 15)
    - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 16)
    - Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? David Barak (Jan 12)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? Dobbins, Roland (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)

(Thread continues...)