nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: William Herrin <bill () herrin us>
Date: Fri, 14 Jan 2011 19:10:50 -0500
On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong <owen () delong com> wrote:
Ah, but, the point here is that NAT actually serves as an enabling technology for part of the attack he is describing.
Hi Owen, Doug's comments on that were pretty abstract, so let me try to ground it a little bit. He basically observed that if I originate a UDP packet from behind a NAT, there's a window of opportunity in which that port is somewhat open through the NAT firewall and could return packets originated by a hacker. I watch the movies too and I hang in suspense as the protagonist waits for the bad guy to make a network connection and then activates the phlebotinum that backhacks his tubes. And I know there are some real-life examples where giving a hacker a large file to download has kept him connected to a modem long enough to get a phone trace. But I haven't read of a _nonfiction_ example where the dynamic opening in a stateful firewall (NAT or otherwise) has directly provided the needed opening for an _active_ attack by a third party. Can you cite one? Even if such an attack is practical, I fail to see how a NAT firewall is any more vulnerable to it than a merely stateful firewall. Perhaps you can explain? As for strictly passive attacks, like the so-called drive by download, it is not obvious to me that they would operate differently in a NAT versus non-NAT stateful firewall environment. Please elucidate. On Fri, Jan 14, 2011 at 5:52 PM, Douglas Otis <dotis () mail-abuse org> wrote:
On 1/14/11 11:49 AM, Jack Bates wrote:Explain how [NAT] acts as an enabler.Consider the impact the typical NAT or "firewall" has on DNS.
Hi Doug, You'd make the argument that NAT aggravates Kaminsky? If you have something else in mind, I'll have to ask you to spell it out for me. Interesting argument. Tough sell. The more hosts behind a NAT, the more likely they're relying on an interior resolver anyway which aggregates the query source regardless of the presence or absence of NAT. Worst case I can think of is you have a badly implemented NAT which negates the source port randomization. But you have a tougher sell if you want to convince me that NAT firewalls have a higher probability of being badly implemented. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside comĀ bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Mark Andrews (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 13)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 14)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Joel Jaeggli (Jan 15)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Marshall Eubanks (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Stephen Davis (Jan 15)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 16)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)