Is NAT can provide some kind of protection?

Douglas Otis dotis at mail-abuse.org
Sat Jan 15 02:52:09 UTC 2011


On 1/14/11 4:10 PM, William Herrin wrote:
> On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong<owen at delong.com>  wrote:
>> Ah, but, the point here is that NAT actually serves as an enabling
>> technology for part of the attack he is describing.
> As for strictly passive attacks, like the so-called drive by download,
> it is not obvious to me that they would operate differently in a NAT
> versus non-NAT stateful firewall environment. Please elucidate.
Systems having poor integrity are often _incorrectly_ considered 'safe'  
behind typical firewalls, but their exposure often includes more than 
just IP address contacted in a URI.  Once initiated,  often internal 
hosts remain connected with any IP address on non-symmetric NATs for 
some period beyond an initial exchange. A behavior promoted to support 
teredo, for example.  Don't think no one is using IPv6, even when there 
is only IPv4 access.

http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

> Explain how [NAT] acts as an enabler.
>> Consider the impact the typical NAT or "firewall" has on DNS.
> Hi Doug,
>
> You'd make the argument that NAT aggravates Kaminsky? If you have
> something else in mind, I'll have to ask you to spell it out for me.
Many of these products themselves are insecure due to bugs in their 
reference design dutifully replicated by CPE manufactures.  These 
devices often keep no logs, and might even redirect specific DNS queries 
when owned, where a power-cycling removes all evidence.  Even Cisco 
firewalls were mapping a range of IP addresses, rather than port 
mapping, and exposed systems unable to endure this type of exposure to 
the Internet.   While it is possible to have a well implemented NAT, 
many are unable to support DNS TCP exchanges or handle DNSsec.  The same 
devices often restrict port ranges, where prior access to an attacker's 
authoritative servers gives significant poisoning clues on subsequent 
exchanges driven by injected iFrames.  A system not safe on the 
Internet, often is also not safe behind the typical CPE NAT/firewall.

-Doug






More information about the NANOG mailing list