'Re: Network Address Translation insecurities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Network Address Translation insecurities
From:       "Chris Berry" <compjma () hotmail ! com>
Date:       2002-09-27 16:49:14
[Download RAW message or body]

Its still implemented in the TCP/IP stack, unless you have a high powered 
router like a cisco and manually disable it, it still works.  While it would 
be helpful it they knew what you had, most will just scan likely address 
blocks and hope for a return.  If you have a firewall, I personally 
recommend what I call a christmas tree filter.  Drop all packets with any 
TCP/IP option flag set, none of them are used in production environments. 
(at least nowhere I've worked at)


>From: Johan De Meersman <johan@ops.skynet.be>
>To: Chris Berry <compjma@hotmail.com>
>Subject: Re: Network Address Translation insecurities
>Date: Fri, 27 Sep 2002 14:46:59 +0200
>
>Chris Berry wrote:
>
>>That is totally incorrect, although it might make it marginally harder for 
>>amateurs, the attacker can bypass NAT by specifying the route for the 
>>packet to take.  This is called source routing, now if you were to drop 
>>source routed packets at the firewall then I'm not sure what they could 
>>do, perhaps someone else could chime in with a comment on that?
>
>Correct me if I'm wrong, but hasn't source routing been obsoleted ages ago 
>? Most current routers should just ignore any source-routed packages. 
>Moreover, source routing would require the attacker to have an intimate 
>knowledge of the NATted network topology.
>
>>
>>
>>>From: "Schuler, Jeff" <Jeff.Schuler@hit.cendant.com>
>>>To: security-basics@securityfocus.com
>>>Subject: Network Address Translation insecurities
>>>Date: Wed, 25 Sep 2002 10:17:04 -0700
>>>
>>>I am looking for information regarding the insecurities and 
>>>vulnerabilities
>>>that exist in Network Address Translation.  One of our admins feels that
>>>because everything is NAT'd that there is no way anyone can break into 
>>>the
>>>systems that are NAT'd.  I know that this is not a completely accurate
>>>statement but need to find some research and documentation regarding 
>>>this.
>>>All our systems are behind at least one firewall so please don't advise 
>>>me
>>>to install a firewall as extra security as they are already there.  I 
>>>just
>>>want to make sure that we are not overlooking serious vulnerabilities 
>>>just
>>>because the box is behind a NAT.  In order to justify doing vulnerability
>>>testing on some of our internal systems I need to demonstrate the
>>>insecurities in NAT.
>>>
>>>Thanks in advance
>>>
>>>Jeff Schuler
>>
>>
>>
>>
>>
>>Chris Berry
>>compjma@hotmail.com
>>Systems Administrator
>>JM Associates
>>
>>"I have found the way, and the way is Perl."
>>
>>
>>_________________________________________________________________
>>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
>
>--
>Public GPG key at blackhole.pca.dfn.de .
>
><< attach3 >>




Chris Berry
compjma@hotmail.com
Systems Administrator
JM Associates

"I have found the way, and the way is Perl."


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic