In message <1106892739.9371.26.camel@localhost.localdomain>, Kristian
Hermansen <khermansen@ht-technology.com> writes
I have Googled around and asked a highly-respected Professor at my
University whether it is possible to direct packets behind a NAT router
without the internal 192.168.x.x clients first requesting a connection
to the specific host outside. The answer I received is "not possible".
I also asked if this can be thought of as a security feature, to which
the reply was again "yes".
Yes. But see later.
Now, I wouldn't place all my bets on his answer and I am calling on
someone out there to clear up my question. If NAT really does only
allow inbound connections with a preliminary request as he suggests, it
seems that the only way to get an "unauthorized" packet behind the
router is by some flaw in the firmware of the device.
If you are not offering any services to the Internet, yes. If you are,
then you have ports open on the router, redirecting to real machines,
which may be running software which can be exploited. This is how worms
spread. the home user is unlikely to be hit by a worm, unless they are
running a Windows NT-derived operating system, such as XP, without a
firewall and/or NAT device. Commercial installations such as web servers
are the main targets for worms.
How about if the client has requested a connection to Google.com from
behind his Linksys home NAT router: would it be possible for an outside
attacker to spoof packets from Google's IP to get packets into the
network? Or do we need to know the sequence numbers as well? Or is
there an even more devious way to get packets on the inside without a
client's initiative?
Google for "man in the middle" attack.
Has there been any research into this? Are there statistics on worm
propagation and exploited network hosts in relation to those individuals
that did not own routers (and instead connected directly to their
modem)? If *all* home users on the Internet had NAT routers during the
summer of 2003, would we have significantly slowed the spread of
Blaster? I believe these all to be very important questions and the
security aspects of the ability to route packets behind NAT really
interests me...maybe some of you can elaborate :-)
Worms are not usually an issue for home users, except when someone sells
an operating system with ports open to the Internet by default. XP
pre-service pack 2 is such an operating system. Its users were duly
hammered by worms, and would not have been if they used the built-in
firewall, which was not enabled by default. I'm not sure how much a NAT
device would have helped on its own. Modern versions of Windows are
extremely talkative, and it may well have invited the bad guys in of its
own accord. But widespread use of the firewall would have stopped it.
More troublesome for home users are viruses spread by email, which
initiate connections through the firewall, router or other device from
the inside. The security device cannot generally tell whether the user
or a virus has made the request, though third-part 'personal' firewalls,
running on the user's workstation, are becoming quite good at this.
I don't think Internet Explorer currently runs any code in an incoming
email automatically, as it once did, but it's not hard to persuade many
users to click on a button and run the virus themselves. Most viruses
are now also worms, they will attempt to spread both by email and by
direct contact with unprotected machines.
--
Joe
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
