• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Why isn't NAT sufficient protection for a network?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
funkyd
Just Arrived
Just Arrived


Joined: 05 Mar 2003
Posts: 0


Offline

PostPosted: Tue Mar 11, 2003 7:09 pm    Post subject: Why isn't NAT sufficient protection for a network? Reply with quote

Having a chat with my sys admin we got round to chatting about how well the network was protected.

'We have a NAT firewall' he proudly stated. 'So what' I replied. His next point was that 'NAT is good enough because there has to be a vulnerability for a hacker to get onto your systems'

Is he right? Can a hacker only get onto the network if there is a vulnerability? Even a DOS works on there being some hole or other that allows the DOS to work in the first place?

I know that NAT is not enough but I'm not knowedgeable enough to say why - so at the moment I look like an idiot.

Can someone realistically get admin passwords from our web servers on our DMZ if we are fully patched up on Win2k and IIS? Ditto our trusted network. Can you plant a trojan on a web server with AV installed? I said a good hacker could disable the AV if he had the admin password and then plant his trojan and have remote access....

If they can - then how? I need to prove to my boss that this guy is wrong - or at least partially wrong to ensure we take security more seriously.
Back to top
View user's profile Send private message
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Tue Mar 11, 2003 7:15 pm    Post subject: Reply with quote

He is right i think. Only the gateway would be visable from the net so the only way into the internal network would be to hack that box. And if you disabled the AV and installed a trojan as soon as its be re-enabled it would pick up the trojan. Please correct me if im wrong.
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Mar 11, 2003 7:16 pm    Post subject: Re: Why isn't NAT sufficient protection for a network? Reply with quote

funkyd wrote:
Having a chat with my sys admin we got round to chatting about how well the network was protected.

'We have a NAT firewall' he proudly stated. 'So what' I replied. His next point was that 'NAT is good enough because there has to be a vulnerability for a hacker to get onto your systems'


Does NAT do stateful packet inspection? Does this guy know what stateful packet inspection is?

There are vulnerabilities in everything, usually the biggest ones are in the wetware Wink

funkyd wrote:

Is he right? Can a hacker only get onto the network if there is a vulnerability? Even a DOS works on there being some hole or other that allows the DOS to work in the first place?


Yes, but remember protecting the inside is just as important, the majority of compromises come from the inside..if you don't correctly control what is going in and more importantly out how can you maintain control? NAT has no provisions for such things.

How do you know if someone is profiling you? Data footprinting you? Without a firewall and IDS?

Ask him what hping and firewalker are for? Ask him what TCP/IP sequence prediction is..

Ask him what ARP poisoning is, session spoofing, session hijacking..

funkyd wrote:

I know that NAT is not enough but I'm not knowedgeable enough to say why - so at the moment I look like an idiot.


Hehe, to me he looks like the idiot, not you...

funkyd wrote:

Can someone realistically get admin passwords from our web servers on our DMZ if we are fully patched up on Win2k and IIS?


Realistically it depends how much they want it, nothing is 100% safe remember that.

funkyd wrote:

Ditto our trusted network. Can you plant a trojan on a web server with AV installed?


Yes, if I write a trojan how is your AV engine going to pick it up?

What if I write a Ring 0 or Vxd layer trojan that your AV can't even see?

funkyd wrote:

I said a good hacker could disable the AV if he had the admin password and then plant his trojan and have remote access....


You don't need to disable it, just go under it or ignore it Smile
Back to top
View user's profile Send private message Visit poster's website
TheKingster
Link Spammer
Link Spammer


Joined: 03 May 2002
Posts: 0
Location: UK

Offline

PostPosted: Tue Mar 11, 2003 7:18 pm    Post subject: Reply with quote

Well just in my own home I have a NAT enabled router just forwarding the ports I need.

For me I think thats enough as all other ports get rejected.

If I got owned I wouldn't be too fussed as porn is widely available hahaha

If I was in a large company and needed to secure data then I would stick a firewall in too.
Back to top
View user's profile Send private message
funkyd
Just Arrived
Just Arrived


Joined: 05 Mar 2003
Posts: 0


Offline

PostPosted: Tue Mar 11, 2003 7:26 pm    Post subject: Reply with quote

Thanks Shaolin - I am going to read up on all those terms you mentioned. Got to be careful that I don't blag it though and can answer any return fire!

I agree that he might be half right but to be so confident and sure is fool hardy in my opinion.

Oh he has never heard of hping or firewalker..... Laughing

Well I reckon I need to get wiser than him on these subjects....

Can anyone recommend a good lab scneario that I could set-up at home to test these things?

I have tried to hack an NT box but have no idea what to do beyond the real basics. I am thinking that if I can demonstrate to my boss how a hack can be done then that adds to the points I want make to him.

Obviously I can't try and hack a real network but perhaps I can try other things - the tutorials on Altavista for example are a bit lame and seem more for the 'home' hacker than a real pro?
Back to top
View user's profile Send private message
myhatisred
Just Arrived
Just Arrived


Joined: 11 Jan 2003
Posts: 0


Offline

PostPosted: Tue Mar 11, 2003 7:42 pm    Post subject: Reply with quote

At home I'm running a NAT and only have the ports forwarded for my servers, any other port is just rejected. That provides some security but if there are exploits to the services you have running, you better be carefull.
Back to top
View user's profile Send private message Visit poster's website AIM Address
big tom
Forum Fanatic
Forum Fanatic


Joined: 28 May 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Tue Mar 11, 2003 7:57 pm    Post subject: Reply with quote

I hope NAT is about enough for me.
I have all my ports stealthed. You wouldn't even get a reply from a ping.

I will admit to not having AV software installed, however. Most of the things ive tryed don't detect viruses that much better than my own common sence Confused
Back to top
View user's profile Send private message
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Tue Mar 11, 2003 11:30 pm    Post subject: Reply with quote

Folks are confusing business v private use even after some earlier explanitory posts.

Take as an example....

Trojaned email comes in to employee X.

Being the average luser he/she opens it and has a compromised system.

Having a simple NAT router the trojan then connects out to the attacker giving them the toe hold in the network they need.

At home what do they get -- root your box, you reformat.

In business they can root the accounts, customer db, payroll, systems. All without requiring a vulnerable service on a public listening port.

You can't affford to take that chance and want to stay employed in ITSec.
Back to top
View user's profile Send private message Send e-mail
Giro
New Member
New Member


Joined: 25 Mar 2004
Posts: 22
Location: England

Offline

PostPosted: Wed Mar 12, 2003 12:55 am    Post subject: Reply with quote

b4rtm4n wrote:
Folks are confusing business v private use even after some earlier explanitory posts.

Take as an example....

Trojaned email comes in to employee X.

Being the average luser he/she opens it and has a compromised system.

Having a simple NAT router the trojan then connects out to the attacker giving them the toe hold in the network they need.

At home what do they get -- root your box, you reformat.

In business they can root the accounts, customer db, payroll, systems. All without requiring a vulnerable service on a public listening port.

You can't affford to take that chance and want to stay employed in ITSec.


But dont you need to be able to run the code as the user for rootkits to work. And a business would have AV on all machines.
Back to top
View user's profile Send private message
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Wed Mar 12, 2003 12:53 pm    Post subject: Reply with quote

Ol Man wrote:
But dont you need to be able to run the code as the user for rootkits to work.


Hadn't got as far as full _rootkits_, when writing I was thinking more subseven/backorifice style trojans.

Ol Man wrote:

And a business would have AV on all machines.


Wouldn't that be nice Smile

AV gets installed, never gets updated. Gets switched off. Was never installed at all.
Back to top
View user's profile Send private message Send e-mail
CHeeKY
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3


Offline

PostPosted: Wed Mar 12, 2003 1:54 pm    Post subject: Reply with quote

right send me your IP's NAT is shite, end of, so easy to hack, IP spoofing away, and IIS and win2k patched up, hmm.... that maybe safe a little bit, but hey that still open to attack, is not about just the programs its about what protecting them.

And hacking your conn aint just the only way to get in, I can do emails that when opened will send back IP's of internal network etc and then you start to understand TCP sequencing?

Here's your first Question for that clever sysop, ask him for a copy of his Security Policies....

Correct he doesnt have one ...hehehe
Just dont understand anyone running windows boxesand IIS with simple NAT installed, can claim he is safe, I run multi round robin Checkpoint firewalls with BIDS (behavioual IDS) and I still have seen people get through that...

All comes down to what he is protecting and what people want , so yes to him, he may well be safe, but hey send us the IP or addy and will do some checks, no harm as he claims to be safe...
Back to top
View user's profile Send private message
CHeeKY
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3


Offline

PostPosted: Wed Mar 12, 2003 3:50 pm    Post subject: Reply with quote

If NAT is so good folks explain how below becomes a competent security policy.


NATs work at Layer 3 (IP layer).

NATs modify the source/destination IP address.

NATs do not modify Layer 4, Layer 5, Layer 6, and Layer 7 addresses embedded within the IP payload.

Many applications embed IP addresses at Layer 4 through Layer 7.

NAT breaks the end-to-end model of IP for routability, encryption, and so on, due to the embedded Layer 4 - Layer 7 IP addresses.

and becuase of these, I would never advise on just NAT for any connection.
Back to top
View user's profile Send private message
funkyd
Just Arrived
Just Arrived


Joined: 05 Mar 2003
Posts: 0


Offline

PostPosted: Wed Mar 12, 2003 3:56 pm    Post subject: Reply with quote

CHeeKY wrote:


And hacking your conn aint just the only way to get in, I can do emails that when opened will send back IP's of internal network etc and then you start to understand TCP sequencing?


What is TCP sequencing and why should I worry about it? Point me to a FAQ if it's too long to explain here....cheers
Back to top
View user's profile Send private message
CHeeKY
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3


Offline

PostPosted: Wed Mar 12, 2003 4:25 pm    Post subject: Reply with quote

nothing against , but point youself to a FAQ, all about helping yourself as well Smile

Squencing is all about tcp source address spoofing, making your system believe that the source is one of its own, and through layer 3 this is more acheiveable through NAT, its all about handshaking....
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register