Is NAT can provide some kind of protection?
owen at delong.com
Fri Jan 14 13:43:35 CST 2011
On Jan 14, 2011, at 6:24 AM, William Herrin wrote:
> On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis at mail-abuse.org> wrote:
>> Unfortunately, a large number of web sites have been compromised, where an
>> unseen iFrame might be included in what is normally safe content. A device
>> accessing the Internet through a NATs often creates opportunities for
>> unknown sources to reach the device as well. Once an attacker invokes a
>> response, exposures persist, where more can be discovered. There are also
>> exposures related to malicious scripts enabled by a general desire to show
>> users dancing fruit. Microsoft now offers a toolkit that allows users a
>> means to 'decide' what should be allowed to see fruit dance. Users that
>> assume local networks are safe are often disappointed when someone on their
>> network wants an application do something that proves unsafe. Methods to
>> penetrate firewalls are often designed into 'fun' applications or poorly
>> considered OS features.
> Passive attacks. Very effective. Breeze past the firewall like it
> wasn't there. Hard to target though; work best when you're fishing for
> whatever you can get instead of trying to crack a particular system.
> Some success combining them with social engineering.
Grabbing whatever you can get near the thing you're trying to crack
is often a good first step. Afterall, once you pwn a system inside
the firewall in the same security zone as your target, it becomes
a lot easier to attack your target.
> Not terribly relevant to the discussion in this thread. Firewalls
> mostly block active attacks where a hacker is pushing unsolicited data
> at a host instead of waiting for the host to request data. Whether or
> not NAT is involved doesn't really change that larger picture of the
> general class of attacks firewalls obstruct.
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing. Another example
where NAT can and is a security negative. The fact that you refuse
to acknowledge these is exactly what you were accusing me of
doing in my previous emails.
More information about the NANOG