NAT is not a mechanism for securing a network.. but.. HELP!

Well yes, but i was talking that how the probe could manage to be inserted to the lan through the router considering that the probe atatck was the one that initiated the connection to the router and not coming back as a replay to a previous internal infected host request.

Of couse what you descbire its true and it works no matter if the routr is port forwarding or not.

So if the malware use some kind of stelath techniques would bypass the routers restriction.

But tell us more please abou the tunneling that cannot be stopped. How does the tunneling scenario work?

And how can router be crashed? By what way? Even if it gets amounts of packets tryign to break in it would simply reject them and only allow those setup in port redirection.

Whats do you mean by that? If a packet has a source address i must have come form a host indes the network . How otherwise. if it came form outside then it wouldnt have a source address of type 10.0.0.x

Yes, very turue but by its nature it provides as asideeffect soem means of security since it hides all hosts on the lan behind 1 single public ip address :-)

begin quotation from Duane Arnold in message posted at 2005-08-23T19:09

It is certainly part of a solution, but by itself, is not a complete solution to any security problem. Depending on the configuration of the next hop router of one's Internet connection and the NAT router itself, it may not even stop inbound connections completely if it's poorly designed.

Unless you are talking appliance-type routers bought off the shelf, most operating system components or user-space NAT routers also have the ability to add deny rules for certain types of outbound traffic. OpenBSD, for example, doesn't even forward packets by default, so is perfect for protecting a setup that only needs Web access (just install Squid or a similar HTTP proxy from the ports tree, edit the config, and you're done).

It should be noted that nothing is a substitute for safe computing practices and real computer literacy knowledge (not just how to move a mouse and click on things).

begin quotation from Duane Arnold in message posted at 2005-08-23T22:12

It really surprises me that the people that make these devices even dare to call them "firewalls". You have to be able to block outbound connections to have any notion of security.

Some will, especially after their off-the-shelf device either quits working or gets owned (and I think at least one such device has been exploited). And these are exactly the same people that need something high-security to make up for the near-complete disregard for security from Microsoft. (Windows 95 was designed with no regard for security at all, and it had dialup Internet capability built in! What were they thinking, if anything?) People aren't interested in running the most secure OS on the planet on their firewall/router? Maybe they should be.

Most people were never taught, and never bothered learning on their own, what is meant by "safe computing practices", unfortunately, and there are many people who could be blamed for it:

1. Computer manufacturers

It really does not take much to make a small booklet or even a section of the printed owner's manual to describe safe computing practices. That is, if the computer manufacturer cares about the customer, and not just the amount of cash coming from the customer.

1. Internet service providers

Before Windows was Internet capable, there was *THE* Internet worm. One. Singular. Now, you tell people about "*the* Internet worm", emphasized as such, and you'll get a blank stare, followed by "Which one? Zotob? Nimda? Code Red? Sasser? [insert names of any of the other major Microsoft Windows worms that I've left out]"

Somewhere in there, Internet service providers could have taken the initiative in educating people about safe computing as it relates to Internet use.

1. Schools and employers

I don't think I was ever really taught much about safe computing practices in any of the computer courses I took in middle school, high school, and college. Same for most employers, they assume employees either already know this stuff or will learn it quickly.

To those who wonder what the heck I mean by safe computing practices? Mainly it's two principles:

A. Never run a program unless you know what it is supposed to do and where it came from (this includes word processor and spreadsheet macros, Java applets, Javascript scripts, Flash movies, and Mozilla browser extensions).

B. If in doubt about a program, don't run it, or run it in a protected environment where it can do minimal to no damage (this usually means a standalone computer with either no network connection or at least no direct connection to the Internet proper).

There are others, but they are usually in some way related to these two, which are really common sense anyway (unfortunately, it seems to be less common than it should be).

Hi all! First of all I have to say "sorry" for my english.. that sometimes is not very good.. (I write from italy..) A question: I often have to speak with some clients about security (I'm not a specialist..) ...yesterday a person told me that an ADSL router with a NAT for separate his private network to public network is a "good" solution for his security... I know.. that this is a "wrong sentence" :-)... but... I can I demostrate the opposite? how can I by-pass a router? it is possible.... I suppose... any suggestions?? thanks

snipped-for-privacy@hotmail.com

NAT is only a simple means of blocking unsolicited inbound connections. That means that there is no outbound limitation.

NAT is a good for protecting home users networks from uninvited inbound connections which is a reasonable thing for home users.

The reason why a NAT router is not a "good" solution has nothing to do with the possibility of bypassing it. It is not a "good" solution because there are *many* attacks that originate from action inside the internal network. Executing a virus/trojan application, allowing websites to install/run applications, entering information in webforms, running unsecured wireless setups, .... The list goes on and on and a NAT router will do nothing against those.

Bypassing a router, in the sense of making it transparent so you can freely connect to services on the LAN side, by solely manipulating packets and flags is not an easy task. You'd have more chances trying to access it's remote configuration feature (*if* you were lucky it's enabled) and brute force the password with a dictionary attack of some kind (double lucky!). That's the only feasible scenario I can think of but very unlikely, even for home users.

OTOH, crashing a router is a much "simpler" thing to do depending on the router and your resources. And who can guarantee that a crashed router will continue to block outside connections? Doubtful but possible.

"Smax" wrote in news:KNJOe.27469$ snipped-for-privacy@twister1.libero.it:

All you have to do is write a program a listening server program and install it on the computer behind the router. Then you write a client program and install it on a remote/Internet computer and have the server program send outbound traffic to the remote IP making contact with the remote client program. The NAT router (most NAT routers for home usage) is not going to be able to stop the contact or traffic by setting rules to stop the traffic.

Most NAT routers stop unsolicited inbound traffic by not forwarding the traffic to the LAN behind the router. Yes, a NAT router has two interfaces the WAN/Internet network interface the NAT router is protecting from and LAN interface the network it's protecting.

A device such as a NAT router that is also running network FW software would be able to stop inbound and outbound traffic by setting filtering rules to stop the traffic by port, protocol, IP or packet attribute/ state.

As an example, you could install Gibson's *Leaktest* program on a machine and allow it to phone home and see of the NAT router can stop the traffic inbound or outbound by setting filtering rules to stop the outbound from the LAN/IP/machine behind the router to the remote/Internet/IP or stop inbound from the remote/Internet/IP.

The NAT router separates two networks usually the Internet and the LAN behind the router and NAT provides a limited means of protecting the LAN by not forwarding unsolicited inbound request. But NAT is not FW software where one can set filtering rules to control traffic. Also, most NAT routers for home usage don't provide traffic logging so one could see if dubious inbound or outbound traffic to a remote IP was even happening.

So if malware was to be installed on a machine behind the NAT router and started phoning home, most NAT routers are not going to be to stop the malware and Leaktest will show you that. A router running network FW software would be able to stop the traffic.

However, a NAT router is a good first line of defense for the home user.

Duane :)

All you have to do is write and install a program *behind* the router? That isn't exactly a straight-forward answer to the question of how to *by-pass* a router.

That's like suggesting that any door lock can easily be by-passed simply by entering the room and unlocking it from the other side. Hello, it's locked to begin with... ;)

Sure, people willfully double-click on all sorts of programs that set up hosts on their system. But that isn't the attacker by-passing the router per se. That's akin to knocking on the door, saying "Candy-gram!", and waiting for the moron to unlock the door himself.

CyberDroog wrote in news: snipped-for-privacy@news.easynews.com:

Is it or is it not away of bypassing the protection of the router?

You got a better way of directly attacking a NAT router, then let's see. :)

Duane :)

Oh, I am sure there are other ways of attacking a NAT router. I am not up to speed on that as I am not one who would do such a thing in the first place. I can certainly verify that they can be attacked. At least my old Linksys NAT router was attacked as probes came through it at SQL Server running on the machine with all ports closed by default with no port forwarding or nothing on the router, like a hot knife through butter.

Duane :)

Well the firmware for the 11S4 router has no FW like software like SPI so it wasn't and is not doing packet inspection. The packets could be spoofed and bogus packets slipped in I guess. I read an article Watchguard put out awhile back about how NAT routers can be attacked. You should be able to find such information on with Google. The machine that is running SQL Server is up 24/7 365 and what altered me to the situation was BlackIce at the time when I was using BI with it set properly out of its auto settings to supplement the NAT router when Linksys removed SPI from the firmware for all BEFW11S4 version routers.

Duane :)

All it takes is the host (inside the network) to contact the hacker site for instructions, and you are done.

So, what we mean is that your machine is compromised with something that phones-home for instructions - your NAT router, which allows ALL outbound does not stop the virus/worm since it's already inside your network - it calls home to get more things/instructions and starts spreading out over ports 135~139 & 445 since your NAT router doesn't block those outbound either (by default).

"Shawn K. Quinn" wrote in news: snipped-for-privacy@xevious.platypuslabs.org:

Well, that's what I am talking about off the shelf devices that most home users are going to buy. Some routers may have some ability to set some filtering rules to stop outbound. But there are routers that don't have the ability.

I agree but someone using an ADSL router and Windows O/S(s) behind the NAT router is not going to be concerned or interested in an OpenBSD solution.

I agree but most home users don't have it.

Duane :)

Volker, have you considered writing one of those "NAT for Dummies" kind of books? This has been the clearest and simplest explanation of how NAT routers function that I have seen anywhere.

Not it doesn't work always - as a simple rule, when I setup NAT Routers, the cheap ones that pretend to be firewalls, I block outbound to destination ports 135 through 139, 445, 1433, 1434.

While this helps the chatter, it can also keep some viruses from spreading outside your network to the Internet.

You might want to search google for that one - isn't not so much that it can be done, it's what state is the forwarding/routing left in when it does fault.