On 1/14/11 4:10 PM, William Herrin wrote:
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong<o...@delong.com> wrote:
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing.
As for strictly passive attacks, like the so-called drive by download,
it is not obvious to me that they would operate differently in a NAT
versus non-NAT stateful firewall environment. Please elucidate.
Systems having poor integrity are often _incorrectly_ considered 'safe'
behind typical firewalls, but their exposure often includes more than
just IP address contacted in a URI. Once initiated, often internal
hosts remain connected with any IP address on non-symmetric NATs for
some period beyond an initial exchange. A behavior promoted to support
teredo, for example. Don't think no one is using IPv6, even when there
is only IPv4 access.
http://www.symantec.com/avcenter/reference/Teredo_Security.pdf
Explain how [NAT] acts as an enabler.
Consider the impact the typical NAT or "firewall" has on DNS.
Hi Doug,
You'd make the argument that NAT aggravates Kaminsky? If you have
something else in mind, I'll have to ask you to spell it out for me.
Many of these products themselves are insecure due to bugs in their
reference design dutifully replicated by CPE manufactures. These
devices often keep no logs, and might even redirect specific DNS queries
when owned, where a power-cycling removes all evidence. Even Cisco
firewalls were mapping a range of IP addresses, rather than port
mapping, and exposed systems unable to endure this type of exposure to
the Internet. While it is possible to have a well implemented NAT,
many are unable to support DNS TCP exchanges or handle DNSsec. The same
devices often restrict port ranges, where prior access to an attacker's
authoritative servers gives significant poisoning clues on subsequent
exchanges driven by injected iFrames. A system not safe on the
Internet, often is also not safe behind the typical CPE NAT/firewall.
-Doug
