Snort mailing list archives
Re: RE: NAT Penetration Techniques
From: "J. Craig Woods" <drjung () sprynet com>
Date: Wed, 06 Mar 2002 14:18:05 -0600
Basil Saragoza wrote:
Would it be correct to say that (theoretically at least) If I see in snort lan sensor attacks on my lan workstations it mostly means that the 'initiator' is local workstation and not the external address cause people from outside wouldn't know that ws ip is 10.0.0.234. This is the indication that trafic was routed back to that 'initating' lan workstation, and not indication that someone somehow bypasses my NAT on fw.
No, that would not be a good assumption to operate on. Theoretically, almost anything is possible when it comes to networking. You must explore the attacks to see if maybe they are false but it is possible to attack one of your internel machines from an externel source. Remember that your firewall will be doing the translation on the NAT ip back to the local machine ip. Therefore, you could be attacked on a local machine with NAT sending the attack back to the original ip address for the local machine. NAT does *not*, in and of itself, save you from an attack on a local machine. Remember that ip header flags are set by orinating machine. If I go out to the internet, asking for a connection to some external maching, I am creating a "hole" in the firewall, and it is not necessary for the external machine to "know" my private ip address. Hope this clarifies (as opposed to obfuscating)... -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NAT penetration techniques Basil Saragoza (Mar 05)
- <Possible follow-ups>
- RE: NAT Penetration Techniques Jeff DuVall (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques J. Craig Woods (Mar 06)
- Re: RE: NAT Penetration Techniques Basil Saragoza (Mar 06)
- Re: RE: NAT Penetration Techniques Jeff DuVall (Mar 06)