Tzafrir Cohen wrote: >On Thu, 8 Aug 2002, Shachar Shemesh wrote: > > > >>C. As a general rule, I wish people would stop looking at NAT as a >>security device. NAT IS NOT A SECURITY DEVICE!! NAT is just a way to get >>more IPs in this tough no-ips world of IPv4. >> >> > >Specifically: > >A NAT router has an added-value security feature: it "hides" your internal >network, and thus makes it much harder to get through it. But... > >* If the NAT router is not well made, it may allow "specially-crafted" > packets to slip-through. > >* if the NAT router is not well made, it may allow a remote atacker to > completely take over it, and thus expose your whole internal network > >* Even if you cannot initiate a simple incomming connection, there may be > other ways to get in: e.g: by sending a message with some javascript > code to be executed by a mailer that happens to execute it. > > > That's what most people think, yes. Most people think that putting a NAT device on the enterance to their network is equivalent of placing a "allow all outgoing, drop all incoming" rule in a firewall. That is precisely the conception I am trying to break.
A NAT DEVICE IS AIMED AT CONNECTIVITY! Always keep that in mind. Even if I cannot break into the device itself, and you have not enabled any incoming services, assuming that you are secure is that warm and snugly feeling security folks like to refer to as "false sense of security". Tzafrir has given one good example, in the form of Java script. I will give one more example: When you open an FTP connection, the related data connection creates a special case of connection that the NAT device will pass through and translate. By making a client open an FTP connection to my server (a task as simple as sending an HTML mail with an IMG tag pointing to ftp://rough.server.net) and injecting command for the client to send there (again, a pretty simple task), an attacker can cause the NAT device to open an inbound connection to almost any give port. Firewalls try to block these attacks (rarely succesfully), but do you really expect a NAT device to do as good a job at it? If you answered "no", then ask yourself one more question - if you are going to put a FW anyways, why not let it do the NAT? What's to gain by doing two NATs? The point I'm trying to say is, devices only doing NAT are good for providing NAT only. A NAT device is not a FW. Shachar ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
