nanog mailing list archives
Re: Is NAT can provide some kind of protection?
From: Owen DeLong <owen () delong com>
Date: Fri, 14 Jan 2011 11:43:35 -0800
On Jan 14, 2011, at 6:24 AM, William Herrin wrote:
On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis () mail-abuse org> wrote:Unfortunately, a large number of web sites have been compromised, where an unseen iFrame might be included in what is normally safe content. A device accessing the Internet through a NATs often creates opportunities for unknown sources to reach the device as well. Once an attacker invokes a response, exposures persist, where more can be discovered. There are also exposures related to malicious scripts enabled by a general desire to show users dancing fruit. Microsoft now offers a toolkit that allows users a means to 'decide' what should be allowed to see fruit dance. Users that assume local networks are safe are often disappointed when someone on their network wants an application do something that proves unsafe. Methods to penetrate firewalls are often designed into 'fun' applications or poorly considered OS features.Doug, Passive attacks. Very effective. Breeze past the firewall like it wasn't there. Hard to target though; work best when you're fishing for whatever you can get instead of trying to crack a particular system. Some success combining them with social engineering.
Grabbing whatever you can get near the thing you're trying to crack is often a good first step. Afterall, once you pwn a system inside the firewall in the same security zone as your target, it becomes a lot easier to attack your target.
Not terribly relevant to the discussion in this thread. Firewalls mostly block active attacks where a hacker is pushing unsolicited data at a host instead of waiting for the host to request data. Whether or not NAT is involved doesn't really change that larger picture of the general class of attacks firewalls obstruct.
Ah, but, the point here is that NAT actually serves as an enabling technology for part of the attack he is describing. Another example where NAT can and is a security negative. The fact that you refuse to acknowledge these is exactly what you were accusing me of doing in my previous emails. Owen
Current thread:
- Re: Is NAT can provide some kind of protection?, (continued)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- RE: Is NAT can provide some kind of protection? Nathan Eisenberg (Jan 12)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 12)
- Re: Is NAT can provide some kind of protection? Mark Andrews (Jan 12)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 13)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 14)
- Re: Is NAT can provide some kind of protection? Jack Bates (Jan 14)
- Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
- Re: Is NAT can provide some kind of protection? William Herrin (Jan 14)
- RE: Is NAT can provide some kind of protection? George Bonser (Jan 14)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Joel Jaeggli (Jan 15)
- Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
- Re: Is NAT can provide some kind of protection? Marshall Eubanks (Jan 15)
- Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
- Re: Is NAT can provide some kind of protection? Stephen Davis (Jan 15)