[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: Re: Network Address Translation insecurities
From: "Chris Berry" <compjma () hotmail ! com>
Date: 2002-09-27 16:49:14
[Download RAW message or body]
Its still implemented in the TCP/IP stack, unless you have a high powered
router like a cisco and manually disable it, it still works. While it would
be helpful it they knew what you had, most will just scan likely address
blocks and hope for a return. If you have a firewall, I personally
recommend what I call a christmas tree filter. Drop all packets with any
TCP/IP option flag set, none of them are used in production environments.
(at least nowhere I've worked at)
>From: Johan De Meersman <johan@ops.skynet.be>
>To: Chris Berry <compjma@hotmail.com>
>Subject: Re: Network Address Translation insecurities
>Date: Fri, 27 Sep 2002 14:46:59 +0200
>
>Chris Berry wrote:
>
>>That is totally incorrect, although it might make it marginally harder for
>>amateurs, the attacker can bypass NAT by specifying the route for the
>>packet to take. This is called source routing, now if you were to drop
>>source routed packets at the firewall then I'm not sure what they could
>>do, perhaps someone else could chime in with a comment on that?
>
>Correct me if I'm wrong, but hasn't source routing been obsoleted ages ago
>? Most current routers should just ignore any source-routed packages.
>Moreover, source routing would require the attacker to have an intimate
>knowledge of the NATted network topology.
>
>>
>>
>>>From: "Schuler, Jeff" <Jeff.Schuler@hit.cendant.com>
>>>To: security-basics@securityfocus.com
>>>Subject: Network Address Translation insecurities
>>>Date: Wed, 25 Sep 2002 10:17:04 -0700
>>>
>>>I am looking for information regarding the insecurities and
>>>vulnerabilities
>>>that exist in Network Address Translation. One of our admins feels that
>>>because everything is NAT'd that there is no way anyone can break into
>>>the
>>>systems that are NAT'd. I know that this is not a completely accurate
>>>statement but need to find some research and documentation regarding
>>>this.
>>>All our systems are behind at least one firewall so please don't advise
>>>me
>>>to install a firewall as extra security as they are already there. I
>>>just
>>>want to make sure that we are not overlooking serious vulnerabilities
>>>just
>>>because the box is behind a NAT. In order to justify doing vulnerability
>>>testing on some of our internal systems I need to demonstrate the
>>>insecurities in NAT.
>>>
>>>Thanks in advance
>>>
>>>Jeff Schuler
>>
>>
>>
>>
>>
>>Chris Berry
>>compjma@hotmail.com
>>Systems Administrator
>>JM Associates
>>
>>"I have found the way, and the way is Perl."
>>
>>
>>_________________________________________________________________
>>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
>
>--
>Public GPG key at blackhole.pca.dfn.de .
>
><< attach3 >>
Chris Berry
compjma@hotmail.com
Systems Administrator
JM Associates
"I have found the way, and the way is Perl."
_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic