[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is NAT can provide some kind of protection?

Subject: Is NAT can provide some kind of protection?
From: owen at delong.com (Owen DeLong)
Date: Fri, 14 Jan 2011 11:43:35 -0800
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <15191.1294852587@localhost> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>

On Jan 14, 2011, at 6:24 AM, William Herrin wrote:

> On Thu, Jan 13, 2011 at 11:50 PM, Douglas Otis <dotis at mail-abuse.org> wrote:
>> Unfortunately, a large number of web sites have been compromised, where an
>> unseen iFrame might be included in what is normally safe content.  A device
>> accessing the Internet through a NATs often creates opportunities for
>> unknown sources to reach the device as well.  Once an attacker invokes a
>> response, exposures persist, where more can be discovered.  There are also
>> exposures related to malicious scripts enabled by a general desire to show
>> users dancing fruit.  Microsoft now offers a toolkit that allows users a
>> means to 'decide' what should be allowed to see fruit dance.  Users that
>> assume local networks are safe are often disappointed when someone on their
>> network wants an application do something that proves unsafe.  Methods to
>> penetrate firewalls are often designed into 'fun' applications or poorly
>> considered OS features.
> 
> Doug,
> 
> Passive attacks. Very effective. Breeze past the firewall like it
> wasn't there. Hard to target though; work best when you're fishing for
> whatever you can get instead of trying to crack a particular system.
> Some success combining them with social engineering.
> 
Grabbing whatever you can get near the thing you're trying to crack
is often a good first step. Afterall, once you pwn a system inside
the firewall in the same security zone as your target, it becomes
a lot easier to attack your target.

> Not terribly relevant to the discussion in this thread. Firewalls
> mostly block active attacks where a hacker is pushing unsolicited data
> at a host instead of waiting for the host to request data. Whether or
> not NAT is involved doesn't really change that larger picture of the
> general class of attacks firewalls obstruct.
> 
Ah, but, the point here is that NAT actually serves as an enabling
technology for part of the attack he is describing. Another example
where NAT can and is a security negative. The fact that you refuse
to acknowledge these is exactly what you were accusing me of
doing in my previous emails.

Owen

Follow-Ups:
- Is NAT can provide some kind of protection?
  - From: jbates at brightok.net (Jack Bates)
- Is NAT can provide some kind of protection?
  - From: bill at herrin.us (William Herrin)

References:
- Is NAT can provide some kind of protection?
  - From: tariq198487 at hotmail.com (Tarig Ahmed)
- Is NAT can provide some kind of protection?
  - From: bill at herrin.us (William Herrin)
- Is NAT can provide some kind of protection?
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- Is NAT can provide some kind of protection?
  - From: bill at herrin.us (William Herrin)
- Is NAT can provide some kind of protection?
  - From: marka at isc.org (Mark Andrews)
- Is NAT can provide some kind of protection?
  - From: bill at herrin.us (William Herrin)
- Is NAT can provide some kind of protection?
  - From: dotis at mail-abuse.org (Douglas Otis)
- Is NAT can provide some kind of protection?
  - From: bill at herrin.us (William Herrin)

Prev by Date: BGP route-map options
Next by Date: Is NAT can provide some kind of protection?
Previous by thread: Is NAT can provide some kind of protection?
Next by thread: Is NAT can provide some kind of protection?
Index(es):
- Date
- Thread