great article on NAT router security

Discussion in 'Computer Security' started by steve h., Jun 19, 2004.

  1. steve h.

    steve h. Guest

    <snip>

    Busting the NAT Myth
    By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
    Lead Editor, WatchGuard Technologies, Inc.

    Have you ever settled down to dinner, only to be interrupted by
    unsolicited telemarketing phone calls? It makes you glad that at work,
    your business has a main number other than your desk phone. If necessary,
    you can tell the company receptionist, "Unless my boss or my spouse
    calls, don't forward any calls to me." Then if telemarketers call the
    main number, looking for you, the receptionist terminates their call
    without bothering you. In fact, if you wanted, you could keep your desk
    phone number completely private so that no one knew it except fellow
    employees and close family members.

    However, if you achieved that ideal, would you then say, "My private
    phone number makes me safe in all regards. Now we can fire the company's
    security guards and leave the doors unlocked"? Foolish, right? Yet for
    some reason, many people follow that very logic when concluding that a
    NAT device is a firewall. This article debunks the myth that a NAT device
    is "good enough" security, and explains why you're better off using a
    real firewall to protect your network.

    NAT Attacks
    Network Address Translation, or NAT, works roughly like the receptionist
    in our opening illustration. It hides your private, or unregistered,
    network addresses from the public. When packets leave your network,
    heading for the wild Internet, a NAT device replaces all private IP
    source addresses with one public address (usually its own). Since the NAT
    box advertises its own address to the world as the source address, all
    replies from the wild Internet return to the NAT device, analogous to the
    way phone calls to everyone at your company might first come to a main
    phone number. And just as the receptionist answering the main number can
    redirect incoming phone calls to the desired individual, NAT checks an
    internal table to redirect replies to the appropriate computer inside the
    network. If an attacker initiates a connection to your network through
    some oddball port, like 31337, the NAT box would check its table and
    think, "Gee, no one inside this network requested information on port
    31337. Now I don't know who to send this packet to." Typically, it then
    drops the packet. So, in this sense, NAT-only devices do provide a
    modicum of security. (The rest of this article assumes you understand
    basic NAT, so if the concept is new to you, before continuing you might
    want to read "Using Network Address Translation" and "How and When to Use
    1:1 NAT.")

    Since NAT is designed to do the best it can to allow traffic in, any
    security benefits it provides are mere side-effects. Hackers have
    developed attacks specifically for NAT devices, such as the following.

    Exploiting open ports. For port-based NAT, once a NAT device opens a port
    by putting it in the NAT table, all traffic destined to that port is
    allowed through to the local computer identified in the table. NAT
    substitutes unusual ports for well-known ports, but usually derives its
    substitute port numbers from a standard range. Hackers can persistently
    keep guessing at which ports NAT has opened until they get through. Since
    they use automated programs to do this, the hacker doesn't have to be
    overly persistent or lucky -- he just tries a lot of addresses until
    something breaks.

    Taking the DMZ server. Some NAT devices can be configured so that packets
    not matching anything in the NAT table are sent to a specified computer,
    rather than discarded. This gives the administrator a chance to ensure
    that good traffic is not lost, and to allow a program to work that won't
    work through NAT. But it's horrible from a security perspective. It means
    the NAT device sends everything through. Once a hacker gets control of
    the one computer where everything goes, he can easily access any other
    computer on the same network.
    Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
    with sufficient technical knowledge, using hacking tools freely available
    on the Internet, can put another user's IP address in the "From" (source)
    field of packets. Since NAT relies on analyzing addresses, false
    addresses compromise NAT devices easily.

    Default remote access. Many NAT devices leave a port open to the public
    Internet, to allow remote administration. The port is protected by a
    password. Hackers circulate lists of open ports and the default passwords
    set by the manufacturer of each NAT device. If you haven't changed the
    default password protecting your NAT device, knowledgeable attackers can
    log themselves in and reconfigure your device. Then they have
    administrative privileges, and you don't.

    NAT devices were not designed to be true security devices, so they have a
    weak security stance. For example, a hacker can send an "anybody there?"
    message, called a ping, to millions of addresses. Firewalls recognize
    ping and hide themselves. NAT devices respond, letting the hacker know
    he's found a live connection. NAT devices don't do any egress filtering,
    either. So clearly, a NAT device is not a full security solution.

    Firewall Advantages
    Don't get us wrong. We like NAT. We think NAT is both cool and necessary.
    Our point is that a real firewall offers additional, significant security
    improvements on top of NAT. Here are a few.

    Authenticating connections. A NAT device checks only the source IP
    address, destination IP address, and related port numbers to decide if
    traffic is valid. A real firewall goes further. In addition to IP address
    and port information, the firewall also checks, for example, the sequence
    number of the packet for duplicates or out-of-bound values (hackers try
    to recycle an existing packet header with different data inside). Other
    firewall verification steps include user authentication, packet content
    inspection (e.g., does this HTTP packet really contain HTTP
    information?), and checking the IPs against black-listed sites.

    Controlling outbound traffic. Any defense offered by a NAT device deals
    only with inbound connections. Firewalls offer egress filtering -- the
    ability to close outgoing connections. Many Trojans are programmed to
    infect a machine, then "phone home" to their creator, using an obscure
    outbound port; egress filtering can stop this. Similarly, when worms
    infect a machine and seek to spread, egress filtering can prevent your
    network from becoming the worm's next launching pad.

    Securely handling special cases. True firewalls are aware of, and
    support, numerous applications that require special handling. Some NAT
    and low-cost "firewall-like" routers basically have to be shut off to
    allow, say, NetMeeting or audio/video streaming to function. Real
    firewalls handle them securely and without special user requirements. The
    firewall first identifies the packets as coming from a special
    application. It then rewrites and re-routes the packets compatibly with
    both the application and NAT.

    Robust processing power. Inexpensive NAT devices typically don't include
    the powerful processors required for "deep packet inspection." Even
    "firewall-like" routers will typically degrade significantly in
    performance if called upon to inspect each packet. Only devices designed
    to be a true firewall contain the muscle needed to combine security and
    performance.

    The list of firewall advantages goes on, including detailed logging that
    recognizes and records attacks; centralized management; and, in more
    expensive firewalls, advanced networking features (such as VLAN support
    and Quality of Service), the ability to set different policies for
    multiple networks, time-based policies, and more.

    Conclusion
    We hope you now understand the difference between a good-as-far-as-it-
    goes NAT box and the multi-faceted, layered security a firewall can
    offer. Though NAT can provide the equivalent of an "unlisted number" for
    clients on your network, that falls short of complete security. If you're
    serious about protecting your remote users and your network, deploy real
    firewalls -- preferably firewalls certified by a neutral third party,
    such as ICSA labs. The recent Sasser worm spread wildly even though it
    was helpless against firewalls -- which demonstrates afresh that your
    network security is only as good as your remote user security. ##

    <snip>

    --
    Air America Radio Orlando Petition
    http://www.geocities.com/steve2470/Air_America_Orlando.html
    Thanks for reading !
     
    steve h., Jun 19, 2004
    #1
    1. Advertising

  2. steve h.

    Leythos Guest

    In article <pCYAc.115$o35.114@newsfe5-win>, ldomain
    says...
    > Good post.
    >
    > Regarding the remote login service of many NAT routers, I have set my port 80
    > (HTTP) to a non-existent address on my (minature) network. Is this necessary ?
    >
    > I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
    > address, I get the login prompt for my router. I'm assuming others would get
    > the same.


    Make sure you update it to the latest firmware from Linksys and make
    sure that you change your default subnet from 192.168.1.x to
    192.168.10.x (anything other than 192.168.1 or 192.168.0 - 10 and up are
    nice numbers.

    Make sure that you disable remote management and use a strong password.

    > To counter this, I've set port-forwarding for port 80 to an invalid
    > address, such as 192.168.1.130. This seems to just hang any requests to port 80
    > on my Internet IP address. I can still login to my router of course, so long as
    > I do it from an internal address.


    Unless you have remote management enabled, you are the only one that can
    get to it - you get it because you are accessing it from the LAN side.

    > Maybe this is all unnecessary as even if I type my WAN (Internet) address into
    > a web browser, and get the login prompt, the router still 'knows' it's a
    > request from an internal address, and so allows it ?
    >
    > I do have remote management disabled.


    Have someone you trust from outside your LAN try it and see what you
    get.

    >
    > Regards,
    >
    > Kleeb.
    >


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jun 19, 2004
    #2
    1. Advertising

  3. steve h.

    Kleeb Guest

    Good post.

    Regarding the remote login service of many NAT routers, I have set my port 80
    (HTTP) to a non-existent address on my (minature) network. Is this necessary ?

    I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
    address, I get the login prompt for my router. I'm assuming others would get
    the same.

    To counter this, I've set port-forwarding for port 80 to an invalid
    address, such as 192.168.1.130. This seems to just hang any requests to port 80
    on my Internet IP address. I can still login to my router of course, so long as
    I do it from an internal address.

    Maybe this is all unnecessary as even if I type my WAN (Internet) address into
    a web browser, and get the login prompt, the router still 'knows' it's a
    request from an internal address, and so allows it ?

    I do have remote management disabled.

    Regards,

    Kleeb.
     
    Kleeb, Jun 19, 2004
    #3
  4. Leythos spilled my beer when they jumped on the table and proclaimed in
    <>
    <Good advice snipped>
    > Have someone you trust from outside your LAN try it and see what you
    > get.


    Kleeb, I highly suggest this. It's the only way to know for sure that you
    haven't overlooked something.

    NOI
     
    Thund3rstruck_n0i, Jun 19, 2004
    #4
  5. steve h.

    Martin Guest

    Leythos wrote:

    > In article <pCYAc.115$o35.114@newsfe5-win>, ldomain
    > says...
    >
    >>Good post.
    >>
    >>Regarding the remote login service of many NAT routers, I have set my port 80
    >>(HTTP) to a non-existent address on my (minature) network. Is this necessary ?
    >>
    >>I own a Linksys BEFSR41 router, and find that if I type in my WAN (Internet) IP
    >>address, I get the login prompt for my router. I'm assuming others would get
    >>the same.

    >
    >
    > Make sure you update it to the latest firmware from Linksys and make
    > sure that you change your default subnet from 192.168.1.x to
    > 192.168.10.x (anything other than 192.168.1 or 192.168.0 - 10 and up are
    > nice numbers.
    >
    > Make sure that you disable remote management and use a strong password.
    >
    >
    >>To counter this, I've set port-forwarding for port 80 to an invalid
    >>address, such as 192.168.1.130. This seems to just hang any requests to port 80
    >>on my Internet IP address. I can still login to my router of course, so long as
    >>I do it from an internal address.

    >
    >
    > Unless you have remote management enabled, you are the only one that can
    > get to it - you get it because you are accessing it from the LAN side.
    >
    >
    >>Maybe this is all unnecessary as even if I type my WAN (Internet) address into
    >>a web browser, and get the login prompt, the router still 'knows' it's a
    >>request from an internal address, and so allows it ?
    >>
    >>I do have remote management disabled.

    >
    >
    > Have someone you trust from outside your LAN try it and see what you
    > get.


    you can use a proxy for this as well. Try www.proxify.com or
    www.anonymizer.com


    >
    >
    >>Regards,
    >>
    >>Kleeb.
    >>

    >
    >
     
    Martin, Jun 19, 2004
    #5
  6. steve h.

    Kleeb Guest

    On 2004-06-19, Thund3rstruck_n0i <> wrote:
    > Leythos spilled my beer when they jumped on the table and proclaimed in
    ><>
    ><Good advice snipped>
    >> Have someone you trust from outside your LAN try it and see what you
    >> get.

    >
    > Kleeb, I highly suggest this. It's the only way to know for sure that you
    > haven't overlooked something.
    >
    > NOI
    >

    Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
    access.

    One point Leythos made got me wondering .. why change the subnet from
    192.168.1.x to 192.168.10.x ?

    I could do this of course but I like to know *why* I'm doing something even
    though I'm convinced you guys know what you're on about.

    Thanks for your time.

    Regards,

    Kleeb.
     
    Kleeb, Jun 19, 2004
    #6
  7. Kleeb spilled my beer when they jumped on the table and proclaimed in
    <xM1Bc.347$i_5.259@newsfe1-win>
    > Thanks Leythos and NOI. I will get a check done tomorrow regarding the
    > remote access.
    >
    > One point Leythos made got me wondering .. why change the subnet from
    > 192.168.1.x to 192.168.10.x ?
    >
    > I could do this of course but I like to know *why* I'm doing something
    > even though I'm convinced you guys know what you're on about.


    Dunno exactly why Leythos suggested that, but I suggest it because if
    someone knows the default setup of the router/firewall, it's a little
    easier to try to convince it that you're on the inside network...when
    you're really outside. :)

    In cases such as this, I stay away from the defaults...hell, a 10.10.10.x
    could be even better in this case. :)

    NOI
     
    Thund3rstruck_n0i, Jun 19, 2004
    #7
  8. steve h.

    Leythos Guest

    In article <xM1Bc.347$i_5.259@newsfe1-win>, ldomain
    says...
    > Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
    > access.
    >
    > One point Leythos made got me wondering .. why change the subnet from
    > 192.168.1.x to 192.168.10.x ?


    because there is a hack out for BEFSR41 routers that if someone can get
    you to click on a crafted link can/may reset your router and allow
    remote control of it. Since the link relys on you using the default IP
    it's best to change it to some non-default subnet.

    Also, if you ever VPN into a SOHO or friends network and they are also
    using 192.168.1.X/24 you will have problems properly resolving remote IP
    addresses at the end point.

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jun 19, 2004
    #8
  9. steve h.

    Kleeb Guest

    On 2004-06-19, Leythos <> wrote:
    > In article <xM1Bc.347$i_5.259@newsfe1-win>, ldomain
    > says...
    >> Thanks Leythos and NOI. I will get a check done tomorrow regarding the remote
    >> access.
    >>
    >> One point Leythos made got me wondering .. why change the subnet from
    >> 192.168.1.x to 192.168.10.x ?

    >
    > because there is a hack out for BEFSR41 routers that if someone can get
    > you to click on a crafted link can/may reset your router and allow
    > remote control of it. Since the link relys on you using the default IP
    > it's best to change it to some non-default subnet.
    >
    > Also, if you ever VPN into a SOHO or friends network and they are also
    > using 192.168.1.X/24 you will have problems properly resolving remote IP
    > addresses at the end point.
    >


    Ok, you've convinced me. I'm really starting to hate the word 'default'.:)

    Regards,

    Kleeb.
     
    Kleeb, Jun 20, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. George Preddy

    Sigma/Foveon change their tune (great technical article)

    George Preddy, Oct 27, 2003, in forum: Digital Photography
    Replies:
    555
    Views:
    6,848
    imbsysop
    Dec 27, 2003
  2. robert gray
    Replies:
    37
    Views:
    1,503
    Black Locust
    Nov 14, 2003
  3. William Graham
    Replies:
    2
    Views:
    429
    Tony Spadaro
    Aug 23, 2004
  4. T.N.O.

    security article.

    T.N.O., Oct 29, 2003, in forum: NZ Computing
    Replies:
    3
    Views:
    297
    Rider
    Oct 29, 2003
  5. whosbest54

    OT: Great Article on the Current State of Usenet

    whosbest54, Oct 7, 2008, in forum: Computer Support
    Replies:
    1
    Views:
    405
    Whiskers
    Oct 8, 2008
Loading...

Share This Page