[135016] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (William Herrin)
Fri Jan 14 09:26:25 2011
In-Reply-To: <4D2FD62F.90305@mail-abuse.org>
From: William Herrin <bill@herrin.us>
Date: Fri, 14 Jan 2011 09:24:58 -0500
To: Douglas Otis <dotis@mail-abuse.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis@mail-abuse.org> wrote=
:
> Unfortunately, a large number of web sites have been compromised, where a=
n
> unseen iFrame might be included in what is normally safe content. =A0A de=
vice
> accessing the Internet through a NATs often creates opportunities for
> unknown sources to reach the device as well. =A0Once an attacker invokes =
a
> response, exposures persist, where more can be discovered. =A0There are a=
lso
> exposures related to malicious scripts enabled by a general desire to sho=
w
> users dancing fruit. =A0Microsoft now offers a toolkit that allows users =
a
> means to 'decide' what should be allowed to see fruit dance. =A0Users tha=
t
> assume local networks are safe are often disappointed when someone on the=
ir
> network wants an application do something that proves unsafe. =A0Methods =
to
> penetrate firewalls are often designed into 'fun' applications or poorly
> considered OS features.
Doug,
Passive attacks. Very effective. Breeze past the firewall like it
wasn't there. Hard to target though; work best when you're fishing for
whatever you can get instead of trying to crack a particular system.
Some success combining them with social engineering.
Not terribly relevant to the discussion in this thread. Firewalls
mostly block active attacks where a hacker is pushing unsolicited data
at a host instead of waiting for the host to request data. Whether or
not NAT is involved doesn't really change that larger picture of the
general class of attacks firewalls obstruct.
-Bill
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
