Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > great article on NAT router security

Reply
Thread Tools

great article on NAT router security

 
 
steve h.
Guest
Posts: n/a
 
      06-19-2004
<snip>

Busting the NAT Myth
By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
Lead Editor, WatchGuard Technologies, Inc.

Have you ever settled down to dinner, only to be interrupted by
unsolicited telemarketing phone calls? It makes you glad that at work,
your business has a main number other than your desk phone. If necessary,
you can tell the company receptionist, "Unless my boss or my spouse
calls, don't forward any calls to me." Then if telemarketers call the
main number, looking for you, the receptionist terminates their call
without bothering you. In fact, if you wanted, you could keep your desk
phone number completely private so that no one knew it except fellow
employees and close family members.

However, if you achieved that ideal, would you then say, "My private
phone number makes me safe in all regards. Now we can fire the company's
security guards and leave the doors unlocked"? Foolish, right? Yet for
some reason, many people follow that very logic when concluding that a
NAT device is a firewall. This article debunks the myth that a NAT device
is "good enough" security, and explains why you're better off using a
real firewall to protect your network.

NAT Attacks
Network Address Translation, or NAT, works roughly like the receptionist
in our opening illustration. It hides your private, or unregistered,
network addresses from the public. When packets leave your network,
heading for the wild Internet, a NAT device replaces all private IP
source addresses with one public address (usually its own). Since the NAT
box advertises its own address to the world as the source address, all
replies from the wild Internet return to the NAT device, analogous to the
way phone calls to everyone at your company might first come to a main
phone number. And just as the receptionist answering the main number can
redirect incoming phone calls to the desired individual, NAT checks an
internal table to redirect replies to the appropriate computer inside the
network. If an attacker initiates a connection to your network through
some oddball port, like 31337, the NAT box would check its table and
think, "Gee, no one inside this network requested information on port
31337. Now I don't know who to send this packet to." Typically, it then
drops the packet. So, in this sense, NAT-only devices do provide a
modicum of security. (The rest of this article assumes you understand
basic NAT, so if the concept is new to you, before continuing you might
want to read "Using Network Address Translation" and "How and When to Use
1:1 NAT.")

Since NAT is designed to do the best it can to allow traffic in, any
security benefits it provides are mere side-effects. Hackers have
developed attacks specifically for NAT devices, such as the following.

Exploiting open ports. For port-based NAT, once a NAT device opens a port
by putting it in the NAT table, all traffic destined to that port is
allowed through to the local computer identified in the table. NAT
substitutes unusual ports for well-known ports, but usually derives its
substitute port numbers from a standard range. Hackers can persistently
keep guessing at which ports NAT has opened until they get through. Since
they use automated programs to do this, the hacker doesn't have to be
overly persistent or lucky -- he just tries a lot of addresses until
something breaks.

Taking the DMZ server. Some NAT devices can be configured so that packets
not matching anything in the NAT table are sent to a specified computer,
rather than discarded. This gives the administrator a chance to ensure
that good traffic is not lost, and to allow a program to work that won't
work through NAT. But it's horrible from a security perspective. It means
the NAT device sends everything through. Once a hacker gets control of
the one computer where everything goes, he can easily access any other
computer on the same network.
Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
with sufficient technical knowledge, using hacking tools freely available
on the Internet, can put another user's IP address in the "From" (source)
field of packets. Since NAT relies on analyzing addresses, false
addresses compromise NAT devices easily.

Default remote access. Many NAT devices leave a port open to the public
Internet, to allow remote administration. The port is protected by a
password. Hackers circulate lists of open ports and the default passwords
set by the manufacturer of each NAT device. If you haven't changed the
default password protecting your NAT device, knowledgeable attackers can
log themselves in and reconfigure your device. Then they have
administrative privileges, and you don't.

NAT devices were not designed to be true security devices, so they have a
weak security stance. For example, a hacker can send an "anybody there?"
message, called a ping, to millions of addresses. Firewalls recognize
ping and hide themselves. NAT devices respond, letting the hacker know
he's found a live connection. NAT devices don't do any egress filtering,
either. So clearly, a NAT device is not a full security solution.

Firewall Advantages
Don't get us wrong. We like NAT. We think NAT is both cool and necessary.
Our point is that a real firewall offers additional, significant security
improvements on top of NAT. Here are a few.

Authenticating connections. A NAT device checks only the source IP
address, destination IP address, and related port numbers to decide if
traffic is valid. A real firewall goes further. In addition to IP address
and port information, the firewall also checks, for example, the sequence
number of the packet for duplicates or out-of-bound values (hackers try
to recycle an existing packet header with different data inside). Other
firewall verification steps include user authentication, packet content
inspection (e.g., does this HTTP packet really contain HTTP
information?), and checking the IPs against black-listed sites.

Controlling outbound traffic. Any defense offered by a NAT device deals
only with inbound connections. Firewalls offer egress filtering -- the
ability to close outgoing connections. Many Trojans are programmed to
infect a machine, then "phone home" to their creator, using an obscure
outbound port; egress filtering can stop this. Similarly, when worms
infect a machine and seek to spread, egress filtering can prevent your
network from becoming the worm's next launching pad.

Securely handling special cases. True firewalls are aware of, and
support, numerous applications that require special handling. Some NAT
and low-cost "firewall-like" routers basically have to be shut off to
allow, say, NetMeeting or audio/video streaming to function. Real
firewalls handle them securely and without special user requirements. The
firewall first identifies the packets as coming from a special
application. It then rewrites and re-routes the packets compatibly with
both the application and NAT.

Robust processing power. Inexpensive NAT devices typically don't include
the powerful processors required for "deep packet inspection." Even
"firewall-like" routers will typically degrade significantly in
performance if called upon to inspect each packet. Only devices designed
to be a true firewall contain the muscle needed to combine security and
performance.

The list of firewall advantages goes on, including detailed logging that
recognizes and records attacks; centralized management; and, in more
expensive firewalls, advanced networking features (such as VLAN support
and Quality of Service), the ability to set different policies for
multiple networks, time-based policies, and more.

Conclusion
We hope you now understand the difference between a good-as-far-as-it-
goes NAT box and the multi-faceted, layered security a firewall can
offer. Though NAT can provide the equivalent of an "unlisted number" for
clients on your network, that falls short of complete security. If you're
serious about protecting your remote users and your network, deploy real
firewalls -- preferably firewalls certified by a neutral third party,
such as ICSA labs. The recent Sasser worm spread wildly even though it
was helpless against firewalls -- which demonstrates afresh that your
network security is only as good as your remote user security. ##

<snip>

--
Air America Radio Orlando Petition
http://www.geocities.com/steve2470/A...a_Orlando.html
Thanks for reading !
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      06-19-2004
In article <pCYAc.115$o35.114@newsfe5-win>, http://www.velocityreviews.com/forums/(E-Mail Removed)ldomain
says...
> Good post.
>
> Regarding the remote login service of many NAT routers, I have set my port 80
> (HTTP) to a non-existent address on my (minature) network. Is this necessary ?
>
> I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
> address, I get the login prompt for my router. I'm assuming others would get
> the same.


Make sure you update it to the latest firmware from Linksys and make
sure that you change your default subnet from 192.168.1.x to
192.168.10.x (anything other than 192.168.1 or 192.168.0 - 10 and up are
nice numbers.

Make sure that you disable remote management and use a strong password.

> To counter this, I've set port-forwarding for port 80 to an invalid
> address, such as 192.168.1.130. This seems to just hang any requests to port 80
> on my Internet IP address. I can still login to my router of course, so long as
> I do it from an internal address.


Unless you have remote management enabled, you are the only one that can
get to it - you get it because you are accessing it from the LAN side.

> Maybe this is all unnecessary as even if I type my WAN (Internet) address into
> a web browser, and get the login prompt, the router still 'knows' it's a
> request from an internal address, and so allows it ?
>
> I do have remote management disabled.


Have someone you trust from outside your LAN try it and see what you
get.

>
> Regards,
>
> Kleeb.
>


--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
 
 
 
Kleeb
Guest
Posts: n/a
 
      06-19-2004
Good post.

Regarding the remote login service of many NAT routers, I have set my port 80
(HTTP) to a non-existent address on my (minature) network. Is this necessary ?

I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
address, I get the login prompt for my router. I'm assuming others would get
the same.

To counter this, I've set port-forwarding for port 80 to an invalid
address, such as 192.168.1.130. This seems to just hang any requests to port 80
on my Internet IP address. I can still login to my router of course, so long as
I do it from an internal address.

Maybe this is all unnecessary as even if I type my WAN (Internet) address into
a web browser, and get the login prompt, the router still 'knows' it's a
request from an internal address, and so allows it ?

I do have remote management disabled.

Regards,

Kleeb.
 
Reply With Quote
 
Thund3rstruck_n0i
Guest
Posts: n/a
 
      06-19-2004
Leythos spilled my beer when they jumped on the table and proclaimed in
<(E-Mail Removed)>
<Good advice snipped>
> Have someone you trust from outside your LAN try it and see what you
> get.


Kleeb, I highly suggest this. It's the only way to know for sure that you
haven't overlooked something.

NOI

 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      06-19-2004
Leythos wrote:

> In article <pCYAc.115$o35.114@newsfe5-win>, (E-Mail Removed)ldomain
> says...
>
>>Good post.
>>
>>Regarding the remote login service of many NAT routers, I have set my port 80
>>(HTTP) to a non-existent address on my (minature) network. Is this necessary ?
>>
>>I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
>>address, I get the login prompt for my router. I'm assuming others would get
>>the same.

>
>
> Make sure you update it to the latest firmware from Linksys and make
> sure that you change your default subnet from 192.168.1.x to
> 192.168.10.x (anything other than 192.168.1 or 192.168.0 - 10 and up are
> nice numbers.
>
> Make sure that you disable remote management and use a strong password.
>
>
>>To counter this, I've set port-forwarding for port 80 to an invalid
>>address, such as 192.168.1.130. This seems to just hang any requests to port 80
>>on my Internet IP address. I can still login to my router of course, so long as
>>I do it from an internal address.

>
>
> Unless you have remote management enabled, you are the only one that can
> get to it - you get it because you are accessing it from the LAN side.
>
>
>>Maybe this is all unnecessary as even if I type my WAN (Internet) address into
>>a web browser, and get the login prompt, the router still 'knows' it's a
>>request from an internal address, and so allows it ?
>>
>>I do have remote management disabled.

>
>
> Have someone you trust from outside your LAN try it and see what you
> get.


you can use a proxy for this as well. Try www.proxify.com or
www.anonymizer.com


>
>
>>Regards,
>>
>>Kleeb.
>>

>
>

 
Reply With Quote
 
Kleeb
Guest
Posts: n/a
 
      06-19-2004
On 2004-06-19, Thund3rstruck_n0i <(E-Mail Removed)> wrote:
> Leythos spilled my beer when they jumped on the table and proclaimed in
><(E-Mail Removed)>
><Good advice snipped>
>> Have someone you trust from outside your LAN try it and see what you
>> get.

>
> Kleeb, I highly suggest this. It's the only way to know for sure that you
> haven't overlooked something.
>
> NOI
>

Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
access.

One point Leythos made got me wondering .. why change the subnet from
192.168.1.x to 192.168.10.x ?

I could do this of course but I like to know *why* I'm doing something even
though I'm convinced you guys know what you're on about.

Thanks for your time.

Regards,

Kleeb.
 
Reply With Quote
 
Thund3rstruck_n0i
Guest
Posts: n/a
 
      06-19-2004
Kleeb spilled my beer when they jumped on the table and proclaimed in
<xM1Bc.347$i_5.259@newsfe1-win>
> Thanks Leythos and NOI. I will get a check done tomorrow regarding the
> remote access.
>
> One point Leythos made got me wondering .. why change the subnet from
> 192.168.1.x to 192.168.10.x ?
>
> I could do this of course but I like to know *why* I'm doing something
> even though I'm convinced you guys know what you're on about.


Dunno exactly why Leythos suggested that, but I suggest it because if
someone knows the default setup of the router/firewall, it's a little
easier to try to convince it that you're on the inside network...when
you're really outside.

In cases such as this, I stay away from the defaults...hell, a 10.10.10.x
could be even better in this case.

NOI

 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      06-19-2004
In article <xM1Bc.347$i_5.259@newsfe1-win>, (E-Mail Removed)ldomain
says...
> Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
> access.
>
> One point Leythos made got me wondering .. why change the subnet from
> 192.168.1.x to 192.168.10.x ?


because there is a hack out for BEFSR41 routers that if someone can get
you to click on a crafted link can/may reset your router and allow
remote control of it. Since the link relys on you using the default IP
it's best to change it to some non-default subnet.

Also, if you ever VPN into a SOHO or friends network and they are also
using 192.168.1.X/24 you will have problems properly resolving remote IP
addresses at the end point.

--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Kleeb
Guest
Posts: n/a
 
      06-20-2004
On 2004-06-19, Leythos <(E-Mail Removed)> wrote:
> In article <xM1Bc.347$i_5.259@newsfe1-win>, (E-Mail Removed)ldomain
> says...
>> Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
>> access.
>>
>> One point Leythos made got me wondering .. why change the subnet from
>> 192.168.1.x to 192.168.10.x ?

>
> because there is a hack out for BEFSR41 routers that if someone can get
> you to click on a crafted link can/may reset your router and allow
> remote control of it. Since the link relys on you using the default IP
> it's best to change it to some non-default subnet.
>
> Also, if you ever VPN into a SOHO or friends network and they are also
> using 192.168.1.X/24 you will have problems properly resolving remote IP
> addresses at the end point.
>


Ok, you've convinced me. I'm really starting to hate the word 'default'.

Regards,

Kleeb.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OT: Great Article on the Current State of Usenet whosbest54 Computer Support 1 10-08-2008 11:28 AM
Router to Router with NAT Page Cisco 1 01-08-2005 06:23 PM
Great article... Henry HTML 2 11-11-2004 05:20 AM
Sigma/Foveon change their tune (great technical article) George Preddy Digital Photography 555 12-27-2003 02:17 PM
NYTimes article: When Bad DVD's Happen to Great Films robert gray DVD Video 37 11-14-2003 12:39 AM



Advertisments