Great Circle Associates Firewalls
(November 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: Network Address Translation Security
From: "Stackpole, Bill" <BSTACKPO @ sla . com>
Date: Wed, 26 Nov 1997 08:57:48 -0800
To: "'grantj @ pacbell . net'" <grantj @ pacbell . net>
Cc: "'firewalls'" <firewalls @ greatcircle . com> 
The way NAT is implemented, machines that accept inbound traffic have
static translations.  These machines are subject to attack because all
inbound packets just have the address changed and are forwarded.  They
are however subject to packet filtering so it is possible to limited the
ports that can be reached.  Thus the advise on security patches and good
access-lists.  

All outbound hosts are assigned exterior addresses from a pool.  The
assignment is dropped when there is no activity for a period of time.
Inbound packets to addresses that are not static assignments are dropped
unless they are on part of an existing session (have the proper
destination, port and sequence number, etc.)

Hosts with static translations are subject to the same attacks that any
host behind a packet filter is.  These include:
      Exploits of the service daemon or application - Web server,
sendmail
	Source Address Forgery
	Packet Fragmentation
	Faulty or Forged Port Services
	Random Port Services (>1024)
	ICMP Redirects & Source Routing
	Virus and Bomb Infected Packets
	Denial of service attacks - SYN, ICMP and mail floods, ping of
death, etc. 

In addition hosts are subject to sequence guessing attacks when they
have an outbound address assignment from the NAT pool.    You can always
monitor the traffic coming though the router and put additional
protective measures on your hosts (e.g., tripwire, tcpwrapper, etc.). If
you discover that you need more security you can always add it.  

> -----Original Message-----
> From:	grant janssen [SMTP:grantj @
 pacbell .
 net]
> Sent:	Tuesday, November 25, 1997 11:39 PM
> To:	Stackpole, Bill
> Subject:	Re: Network Address Translation Security
> 
> I appreciate your response.  It also seemed to me that implementing
> NATshould be "pretty secure".
>   But how vulnerable will I be?
>   What type of attacks am I unprotected from?
>   I don't giva a damn about most of the systems on the network, just
> the
> big SGI machines.
>   I plan to leave sendmail off on the IRIX systems.  This should close
> my biggest security hole.
> 
>   Thanx again  -Grant
Indexed By Date Previous: Re: freeware SSH for WIn95/NT
From: Peter da Silva <peter @ baileynm . com>
Next: RE: Network Address Translation Security
From: manuel . ricca @ pararede . pt
Indexed By Thread Previous: RE: Network Address Translation Security
From: "Stackpole, Bill" <BSTACKPO @ sla . com>
Next: RE: Network Address Translation Security
From: manuel . ricca @ pararede . pt
Google
 
Search Internet Search www.greatcircle.com