Security gain from NAT (was: Re: Cool IPv6 Stuff)
Perry Lorier
perry at coders.net
Tue Jun 5 12:54:28 UTC 2007
> The only ways into these machines would be if the NAT/PAT device were
> misconfigured, another machine on the secure network were compromised, or
> another gateway into the secure network was set up. Guess what? All of these
> things would defeat a stateful inspection firewall as well.
>
I disagree. (All of the below is hypothetical, I haven't tested it, but
I believe it to be true.)
Premise 1: The machines behind the firewall are actually on and
functioning, and presumably may be even being used.
Premise 2: The OS's on the machines will periodically do *some* kind of
traffic. Some common examples might be ntp syncronisation, or DNS
resolving of an update service for antivirus, OS patches, whatever. The
traffic may be provided by the user actually using the machine for
whatever real users actually do.
Premise 3: Many NAPT's are of the "Cone" type. This is desirable for
end users as it allows their applications/devices to use their NAPT
busting technologys (STUN, Teredo etc) without having to configure
static port forwards.
Premise 4: The external port chosen for an outgoing protocol is easily
guessed. Many NAPT boxes will prefer to use the same port as the
original host, or will assign port mappings sequentially a bit of
research here would go a long way, presumably entire networks are likely
to be using the same NAPT's in an ISP's provided CPE.
Thus, for example if you are running a single host behind a NAPT box
that is doing regular NTP queries and I can guess the external port on
the NAPT box which with a bit of research I suspect is trivial, I can
send that port on your external IP a packet and it will be forwarded
back to your machine. This could easily lead to a compromise via a
buffer overflow or other exploit.
This would primarily work for UDP based services that by design tend to
be used over the Internet itself such as DNS, NTP, SIP etc. It seems
unlikely that this would work against TCP based services. Exploits in
ICMP could also be "tunneled" back through a NAPT box in a similar
manner. GRE/IPIP/IPv6/ESP/AH can probably use similar techniques to
infect machines behind a NAPT box (Disclaimer I don't know those
protocols very well, but on the flipside, I suspect that NAPT boxes
don't know them very well either and do dumb things with them like
forward all GRE packets to the one host inside your network that has
ever spoken GRE).
Just because you've never seen someone exploit through a NAPT box
doesn't mean it won't happen.
More information about the NANOG
mailing list