[135026] in North American Network Operators' Group
Re: Is NAT can provide some kind of protection?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 14 14:46:31 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTikhLwwiqRSn48iH=cvj8a+NDc=OXRdOXHRG1hiK@mail.gmail.com>
Date: Fri, 14 Jan 2011 11:43:35 -0800
To: William Herrin <bill@herrin.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 14, 2011, at 6:24 AM, William Herrin wrote:
> On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis@mail-abuse.org> =
wrote:
>> Unfortunately, a large number of web sites have been compromised, =
where an
>> unseen iFrame might be included in what is normally safe content. A =
device
>> accessing the Internet through a NATs often creates opportunities for
>> unknown sources to reach the device as well. Once an attacker =
invokes a
>> response, exposures persist, where more can be discovered. There are =
also
>> exposures related to malicious scripts enabled by a general desire to =
show
>> users dancing fruit. Microsoft now offers a toolkit that allows =
users a
>> means to 'decide' what should be allowed to see fruit dance. Users =
that
>> assume local networks are safe are often disappointed when someone on =
their
>> network wants an application do something that proves unsafe. =
Methods to
>> penetrate firewalls are often designed into 'fun' applications or =
poorly
>> considered OS features.
>=20
> Doug,
>=20
> Passive attacks. Very effective. Breeze past the firewall like it
> wasn't there. Hard to target though; work best when you're fishing for
> whatever you can get instead of trying to crack a particular system.
> Some success combining them with social engineering.
>=20
Grabbing whatever you can get near the thing you're trying to crack
is often a good first step. Afterall, once you pwn a system inside
the firewall in the same security zone as your target, it becomes
a lot easier to attack your target.
> Not terribly relevant to the discussion in this thread. Firewalls
> mostly block active attacks where a hacker is pushing unsolicited data
> at a host instead of waiting for the host to request data. Whether or
> not NAT is involved doesn't really change that larger picture of the
> general class of attacks firewalls obstruct.
>=20
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing. Another example
where NAT can and is a security negative. The fact that you refuse
to acknowledge these is exactly what you were accusing me of
doing in my previous emails.
Owen
