Is NAT can provide some kind of protection?

William Herrin bill at herrin.us
Sat Jan 15 00:10:50 UTC 2011


On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong <owen at delong.com> wrote:
> Ah, but, the point here is that NAT actually serves as an enabling
> technology for part of the attack he is describing.

Hi Owen,

Doug's comments on that were pretty abstract, so let me try to ground
it a little bit. He basically observed that if I originate a UDP
packet from behind a NAT, there's a window of opportunity in which
that port is somewhat open through the NAT firewall and could return
packets originated by a hacker.

I watch the movies too and I hang in suspense as the protagonist waits
for the bad guy to make a network connection and then activates the
phlebotinum that backhacks his tubes. And I know there are some
real-life examples where giving a hacker a large file to download has
kept him connected to a modem long enough to get a phone trace. But I
haven't read of a _nonfiction_ example where the dynamic opening in a
stateful firewall (NAT or otherwise) has directly provided the needed
opening for an _active_ attack by a third party. Can you cite one?

Even if such an attack is practical, I fail to see how a NAT firewall
is any more vulnerable to it than a merely stateful firewall. Perhaps
you can explain?

As for strictly passive attacks, like the so-called drive by download,
it is not obvious to me that they would operate differently in a NAT
versus non-NAT stateful firewall environment. Please elucidate.


On Fri, Jan 14, 2011 at 5:52 PM, Douglas Otis <dotis at mail-abuse.org> wrote:
> On 1/14/11 11:49 AM, Jack Bates wrote:
>> Explain how [NAT] acts as an enabler.
> Consider the impact the typical NAT or "firewall" has on DNS.

Hi Doug,

You'd make the argument that NAT aggravates Kaminsky? If you have
something else in mind, I'll have to ask you to spell it out for me.

Interesting argument. Tough sell. The more hosts behind a NAT, the
more likely they're relying on an interior resolver anyway which
aggregates the query source regardless of the presence or absence of
NAT. Worst case I can think of is you have a badly implemented NAT
which negates the source port randomization. But you have a tougher
sell if you want to convince me that NAT firewalls have a higher
probability of being badly implemented.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list