Is NAT can provide some kind of protection?

William Herrin bill at herrin.us
Fri Jan 14 14:24:58 UTC 2011


On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis at mail-abuse.org> wrote:
> Unfortunately, a large number of web sites have been compromised, where an
> unseen iFrame might be included in what is normally safe content.  A device
> accessing the Internet through a NATs often creates opportunities for
> unknown sources to reach the device as well.  Once an attacker invokes a
> response, exposures persist, where more can be discovered.  There are also
> exposures related to malicious scripts enabled by a general desire to show
> users dancing fruit.  Microsoft now offers a toolkit that allows users a
> means to 'decide' what should be allowed to see fruit dance.  Users that
> assume local networks are safe are often disappointed when someone on their
> network wants an application do something that proves unsafe.  Methods to
> penetrate firewalls are often designed into 'fun' applications or poorly
> considered OS features.

Doug,

Passive attacks. Very effective. Breeze past the firewall like it
wasn't there. Hard to target though; work best when you're fishing for
whatever you can get instead of trying to crack a particular system.
Some success combining them with social engineering.

Not terribly relevant to the discussion in this thread. Firewalls
mostly block active attacks where a hacker is pushing unsolicited data
at a host instead of waiting for the host to request data. Whether or
not NAT is involved doesn't really change that larger picture of the
general class of attacks firewalls obstruct.

-Bill


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list