Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network Address Translation insecurities

From: "Frederick Garbrecht" <fgarbrecht () ecogchair org>
Date: Fri, 11 Oct 2002 21:24:00 -0400
Is it possible to do this routing trick under Windows?  Win2K won't let me
add a route if the specified gateway is not on the same network segment as
the host (at least that's what the error message I get says).
Fred
----- Original Message -----
From: "Graham, Randy (RAW) " <grahamrw () y12 doe gov>
To: "Schuler, Jeff" <Jeff.Schuler () hit cendant com>;
<security-basics () securityfocus com>
Sent: Thursday, September 26, 2002 9:34 AM
Subject: RE: Network Address Translation insecurities



I'll answer this by posting a snippet from a post Anders Pettersson made

to

this list just over a month ago (08-14-2002 in US date notation):

----
It can not be stressed enough that NAT alone is _no protection at
all_, there must be some filtering or you are running wide open
looking for trouble.

By adding a route to the network you can directly reach the machines
from outside the NAT box, something like[1]

# route add -net 192.168/16 gw 123.123.123.123

would do. Then just ping around to find what hosts are alive...

It is raining on the Internet. Don't leave your house with the windows
open...

[1] Assuming the corporate LAN uses 192.168.0.0--192.168.255.255 as
    their internal addresses and the gateways external IP is
    123.123.123.123.
----

In other words, NAT gains you pretty much nothing for security.  The
existance of your network behind a NATting device might not be immediately
obvious to someone scanning from the outside, but anyone watching traffic
from your NAT device will be able to figure out pretty easily that there

is

a network behind that one IP address, and if they care to probe to see

what

is there, the NAT does not do much to protect the network.

Randy Graham


-----Original Message-----
From: Schuler, Jeff [mailto:Jeff.Schuler () hit cendant com]
Sent: Wednesday, September 25, 2002 1:17 PM
To: security-basics () securityfocus com
Subject: Network Address Translation insecurities


I am looking for information regarding the insecurities and

vulnerabilities

that exist in Network Address Translation.  One of our admins feels that
because everything is NAT'd that there is no way anyone can break into the
systems that are NAT'd.  I know that this is not a completely accurate
statement but need to find some research and documentation regarding this.
All our systems are behind at least one firewall so please don't advise me
to install a firewall as extra security as they are already there.  I just
want to make sure that we are not overlooking serious vulnerabilities just
because the box is behind a NAT.  In order to justify doing vulnerability
testing on some of our internal systems I need to demonstrate the
insecurities in NAT.

Thanks in advance

Jeff Schuler
Previous By Date Next
Previous By Thread Next

Current thread: