NAT is not a mechanism for securing a network.. but.. HELP!

"Shawn K. Quinn" wrote in news: snipped-for-privacy@xevious.platypuslabs.org:

I agree with all of the above.

Hey, why don't the manufactures of the wireless devices such as wireless AP NAT routers, standalone WAP(s), etc etc at least have a booklet with the devices about wireless security? Is it asking too much of them? In the meantime, they fly off the shelf like pop corn and people are being hacked to death, because they don't know about it.

Duane :)

Only, if the malware is dumb or wants to be controllable. Tunneling cannot be stopped.

Yours, VB.

You mistakenly believe that security is some how related to a normal network function of routing. In the case of NAT, it could be a 1:1 NAT which would not provide any protection, a 1:MANY NAT, or a MANY to MANY NAT.....

NAT is not a security means/method, it's a routing method that appears to have some partial security benefits.

I just came across this thread but I've been interested in learning more about the security (or lack thereof) of NAT for a long time.

I found (I think) the Watchguard paper mentioned above

is the expected collection of FUD, bogus statistics, illogical and unsupported conclusions, irrelevant scare stories, and strawman arguments that one would expect (they do after all want you to buy one of their firewalls).

But there was one claim that sounded like a serious problem for NAT devices if true... They said: "[There are hacker tools for...] Exploiting open ports. Once a NAT device opens a port by putting it in the NAT table, all traffic destined to that port is allowed through to the local computer identified in the table. Hackers use automated programs to guess which ports NAT has opened, and they keep trying until they get through."

Can anybody point me to some reliable documentation on this?

Well, thats what i said in other words. :-) NAT provides some simple means of security as a *sideffect* considering that its true nature by design was to solve the shortage of ip problem and not security.

Yes but in order to crash it this way you must attack it from the inside. But how youy will be able to do that from the inside? Yiu must somwhow infect an internal host to do that and that means you have to pass from the router first somehow.

And also i would like to ask if a router gets crushes what does that mean? Thats it stops responding and therefore stop blocking unsolicited inbound connections so one could slip in?

"Stuart McGraw" wrote in news: snipped-for-privacy@corp.supernews.com:

The link above is NOT the article I was talking about which came as an email to me when I subscribed to WG's customer support.

Not to be smart here, but you're some kind of expert? I would like to see you counter those claims with some facts even in the above link instead of coming up with this, that and the other as to what you think WG or any other FW appliance solution vendor is suppose to be up to with some kind of scare tactics, FUD or whatever else. :)

And that's most likely what happened to my setup using SQL Server as each time the attack happened behind the Linksys NAT router with no SPI, I had left the machine a Windows NT based O/S using a NG reader on an open NG article with port 119 open. The machine went into a lockout mode with port

119 open for long periods of time hours and hours before I came back to the machine. Under those circumstances did BlackIce ever sound off about probes reaching the machine and altered and *blocked* them on the SQL Server port being probed.

I left BI on the machine for a long time period behind the WG for the above conditions to see what would happen and BI never altered. So, I removed BI from the computer. However, I get lots of unsolicited inbound traffic that is being blocked by the WG every time I leave any machine on my network in the above state, even my laptop has SQL Server running and BlackIce is still on that machine and active for its mobile ability in connecting to networks other than my own and BI has not sounded off, which probes for SQL Server reached that machine too. I am sure nothing is going to come through like it did with the Linksys.

Duane :)

You've stated that several times in various articles. It is a bogus claim which assumes that every business is the same as yours apparently is. But other businesses have honest, intelligent and dilligent workers who need to get work done in the most efficient and effective way possible, which often means unrestricted access to the Internet.

Despite your bogus claims, before I retired I worked for a company that believed exactly the opposite of what you say. I had absolute total access to the Internet, as did virtually

*all* employees. That didn't mean I wasted company time doing personal business on the Internet. I also had unlimited access to a telephone with unlimited toll access too. And I had unlimited access to company mail (USPS) and to a company vehicle. Typically most emplyees did, and there were very few abuses.

That was not a small company, and they actually have a senior managment position in charge of all network security. That person literally wrote the book on Internet security...

I had always thought he got it pretty much right, yet here you are saying he was wrong.

There are ways around this. The pf packet filter (part of OpenBSD) allows you to adaptively tune timeouts as capacity nears the maximum. For example:

|| set timeout { adaptive.start 6144, adaptive.end 12288 } || set limit { states 10240, frags 20480, src-nodes 1536 }

Ignore the frags and src-nodes parameters for the moment. As the number of states goes over 6144 (60% of the maximum, 10240), the timeouts will gradually start decreasing for new states, until they reach 1/3 of the original values when the table is chock full. Properly configured, there should be no realistic way to fill up the state table and keep it full.

A classic szenario includes simulating an HTTPS connection, and tunneling SSH through, and through SSH any other protocols.

If HTTPS is not possible, there are several other technics; among them the wwwsh, which tunnels a simple remote control through HTTP. Or you could use just this:

A thing, which works, if you have DNS, is DNS tunneling; but it's very slow and low bandwidth, so one would use that only, if there are no other choices (mostly there are any). Try NSTX.

Yours, VB.

This is not reliably possible. There is tunneling.

Yours, VB.

Thanx! :-)

Yours, VB.

No, unfortunately not. The source address can be just a fake.

Yours, VB.

If it does NAT/masquerading, a DoS attack is very easy from inside. Just exploit the maximum size of the NAT table by flooding with packages opening a huge number of connections.

Yours, VB.

That's an issue where the NAT box does not have SPI enabled or does not have a working SPI feature.

While you may think that many of those issues brought up about NAT devices is FUD and such, to those of us that follow security and design secure networks for a living, they are not.

When you combine it with a proper amount of public outbound access it means it's very secure.

If you can't get to residential networks, can't get to anything except approved websites, then you can't tunnel very easily - and it also means that you can do DNS as your internal DNS is to your internal DNS server and the DNS server is the only one permitted outbound, so that means you can get outbound DNS from your local computer.

Any ones that have ever had a CEO scribble an address and say "Rush courier this within the next 3 hours or it will cost the company 5 million dollars" and walk into a shareholders meeting for the next 4 hours.

The courier shows up, can't read the address, and the receptionist now needs to verify the address, otherwise the courier won't accept the package.

Is that a 0, a 6 or an 8? Check on Google, find the company, it's an "8" -- Or find a phone number and call their office.

Nope, I think you assumed that the internet, from work, should not be restricted to anyone?

In reality there are very few businesses that need to provide ANY internet access to employees while at work. Even ones that need internet access only need limited access in almost every case.

I can easily permit all business functions, all company to company partner functions, FTP, SSL, HTTP, VPN, SMTP, etc.... All without allowing unrestricted access to the Internet and will still being able to provide FULL BUSINESS RELATED ACCESS to those services.

If you're using the Internet at work for non-company reasons you are stealing time/resources from the company.

Any quality firewall solution would not permit unrestricted outbound access from workstations - and there would be an Internal DNS and SMTP server, so you don't need to allow those out from workstations, you don't need to allow HTTP outbound in most cases, and you can limit them to the approved HTTP sites for company related business, email goes through the company email server, so there is no outbound SMTP from workstations to the public..... Come to think about it, I can't find many business reason to allow much more than HTTP/HTTPS to approved sites - even FTP would be limited to approved sites.

So, what's your point?

Just how many Accounts need to access Yahoo or Google?

Just how many machine operators need it?

Just how many receptionists need it?

Just how many anyone really needs to be Surfing during business hours?

What part are you missing about Businesses are there for you to WORK, not to search/play/browse the web in your spare/free/working time.

Also, you could easily allow Yahoo and Google and have no thread of someone using a tunnel through to those sites to get to their home computers. Just because you allow Yahoo and Google doesn't mean you have to allow them access to all the sites in the resulting search or to the links that are not contained within the sites.