On Fri, Jun 08, 2007 at 03:48:08PM -0400, jbrave wrote: > > I'm reading this thread because I want to know what the dangers are with NAT > etc. > The conversation is interesting, but I would like a more in-depth explanation > of > why some are saying that NAT is not a good way to protect a network, and it > would > be good to know how a NAT firewall could be hacked,
All methods for penetrating firewalls fall into one of two interesting classes: 1. Compromise the firewall host Any system-level exploit will do here. A flaw in ssh that gets you root access, or a buffer overrun in the kernel's connection tracking engine, or whatever - anything that lets you run arbitrary code on the firewall. Once you've got that, you can modify it to do whatever you want, forwarding packets for you or just reconfiguring it to open a hole. 2. Construct a tunnel Tunnels are any traffic encapsulation method that lets you send lower-level packets through a higher-level protocol. Any protocol that permits arbitrary data transport can be used for tunnelling - popular choices are HTTP, DNS, and ping. You bundle up your IP packets, wrap them in an HTTP message or DNS query or whatever, and send them through the firewall to a host on the inside. The inside host unwraps them and sends them out to the network. This method requires at least partial user-level control over a host on the inside - a system exploit is not necessarily required, any user with access to send and receive packets on the internal network, and to the internet over your tunnelling protocol, will suffice. Common targets are web servers (exploit in apache), DNS servers (exploit in bind), etc. You will note that in neither case does NAT afford any protection or threat. It's not really relevant to the security question. Saying that "NAT is not a good way to protect a network" is much like saying "cheese is not a good way to protect a network" - neither of them is going to do anything useful in this respect. ObPhilosophy: Remember what the word "firewall" means: it's a partition in a building that prevents a fire from spreading past it. It is not a fire suppression system, and it is not a method for making all your stuff out of non-flammable materials, it is just a mechanism for containing the damage once a fire has already started. Network firewalls are the same - they are a contingency, they are not your primary method for preventing fires. Pretty much everything that you can do to reduce the threat of real-world fires has an analogue form in network security, and most of the tradeoffs are very similar (building every wall in your house out of fireproof materials is not a smart or cost-effective way to stop it from burning down, even if it would probably work). ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
