Nat

Lush

After reading too many posts on this site regarding the merits of NAT and how its fine to rely upon it for secuity, I have decided to blast that notion out of the water.

NAT provides a way of translating internal "private" TCP/IP addresses into Internet TCP/IP addresses. By default, NAT only processes IP packets from the Internet that are in response to internal requests.

You might think this provides a limited sort of security. You'd be right, limited, but it's not the kind of security you'd want to rely on for complete security.

Inbound connections open specific ports on the NAT server's outside interface (Internet) and map them to specific ports on an internal network server(Your PC(s)). Security on the internal PC is the only security imposed on usage of these ports. Because the packet is already inside your network at that point, you have a potential problem. Remember that each external port that you map to an internal port punches another hole in your NAT server and is thus another way for a hacker to try to invade your network.

Remember, Trojans arrive in an innocent form, but once installed they then make a request to get out, NAT makes this easy to get out, but also to get back in...

Don't let anyone tell you otherwise, NAT is NOT secure. :cool:

In brief, don't rely on NAT for security, and always use it with a firewall.

Martyr

if a trojan is well written, it could easily bypass firewalls too.
but i agree with mostly everything you say.

Lush

Average Joe wrote:

if a trojan is well written, it could easily bypass firewalls too.QUOTE]

Agreed.

Too many users rely on the default settings of their routers/firewalls. You need to be vigillent against intrusions & virii. Saying that, it all depends on what type of network you are protecting. A home network would have little interest the average intrusion junkie, but a corporate network would be a great challange.
:cool:

Capt'n Midnight

Correct me if I'm wrong but they will block almost all attempts to push a trojan directly onto your machine unless configured to allow the internet access to your machine. Any sharing with just NAT is of course suicidal madness.

If you have NO services on your machine shouldn't NAT stop attacks from sites that you aren't yet connected to ?

NAT and Firewalls offer NO protection if you or your browser download a trojan or you recieve one in an email - and at present an attacker can take complete control of your computer if you visit their web site using IE patched to the hilt ( and looking at previous exploits this has usually been true, the lowest being IE 5 not being able to view a BMP safely )

Most firewalls will detect suspicious outbound traffic, NAT and Windows XP firewall won't. Of course a trojan etc. could send also traffic out via a trusted program eg: email.

Martyr

I never tried to see if this method could bypass windows firewalls, but i know of 2 old viruses which had debuggers.

They would attach to all processes running in the system, search for ws2_32.dll in the import list, then set a breakpoint on functions like send() & recv()
so that when a call is made to either, the virus duplicates the the socket handle, then use it for atleast outbound communications.

might not work now, but it did years ago, you could possibly use the same method with remote injection, so long as you duplicate the handle that is already being used.

don't know if this works anymore either, but you can build packets at the kernel level using NDIS api, some rootkits use this.
you have to write a driver for NDIS though, & maybe some firewalls hook these api to stop rogue software from operating.

i was just thinking, if there was a trojan on your machine, it could use protocols which most desktop firewalls ignore.

i've seen how some windows firewalls drop incoming packets of a particular protocol..so if you were able to use those for transport, it would work fine without the user knowing.

(drop is probably the wrong word, what i mean is the routine to handle certain types ICMP/UDP..etc will sometimes simply ignore the packets, rather than process them, so some get through perhaps)
depends on what its for i suppose.

Lush

Capt'n Midnight wrote:

Correct me if I'm wrong but they will block almost all attempts to push a trojan directly onto your machine unless configured to allow the internet access to your machine. Any sharing with just NAT is of course suicidal madness. .

A trojan will pass through a firewall if it is sent via smtp as an attachement. The email antivirus software is designed to pick up the trojans & virii. However, if you have a SI (Statefull Inspection) firewall that is correctly configured, trojans & virii will be blocked if they are saying they are accessing a port, say port 80, but actually within the packet are meant for another port entirely. Most cheaper firewalls, unless otherwise stated, are packet filtering only. In other words just read the headers only. So if a trojan enter this type of firewall with a port 80 header but actually wants to use port 5000 which is specified within the packet, thenit would be allowed through... A statefull inspection firewall checks not only the headers but also tracks each connection traversing all interfaces of the firewall and makes sure they are valid. A stateful firewall can examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall. Phew hevy stuff huh... In other words make sure you have a SI firewall.

If you have NO services on your machine shouldn't NAT stop attacks from sites that you aren't yet connected to ?.

Well if you aren't connected to a site then you have no port open, whch means no activity. But you will need certain services running on the PC to facilitate the opening of network connections for normal usage anyway. All NAT is doing is making it possible to move packets from one network subnet to another via a set route, but not letting the hosts know the route.

Networking security is facinating stuff isn't it? :cool:

Martyr

Lush wrote:

Most cheaper firewalls, unless otherwise stated, are packet filtering only. In other words just read the headers only. So if a trojan enter this type of firewall with a port 80 header but actually wants to use port 5000 which is specified within the packet, thenit would be allowed through... A statefull inspection firewall checks not only the headers but also tracks each connection traversing all interfaces of the firewall and makes sure they are valid.

So you mean, windows firewall would allow all connections from an address to 1 particular program, regardless of port destination, whereas something like ZoneAlarm wouldn't?

i know windows firewall isn't great, but there should be improvements in SP3 released possibly this time next year.
there are plans for M$ Anti-Virus in that..i guess it is a good move, not sure.

its possible to bypass windows firewall with some code, how to do it is all on MSDN.

but, it should be known that..most firewalls worth their salt, have to work at the kernel level..so, how do they facilitate users without administrator privileges?

USER_CLIENT(USER) -> SERVICE(SYSTEM) -> KERNEL_DRIVER(KERNEL)

like ZoneAlarm

ZLClient -> VSMON -> VSDATANT|VSDATA95

alot of virus scanners work similarly.
for ZoneAlarm, they use an RPC server running inside VSMON which
controls VSDATANT using predefined control codes.

for someone to add/remove entries to the rulebase elegantly requires knowledge of the protocol...which could be found using some api hooking.

i think a limited amount of information about this is available to third party developers of virus scanners & related security packages.

some have reverse engineered the protocol however, & are now offering libraries for sale, that bypass most if not all of these firewalls using correct procedures.

i was thinking of ways to do it, for ZoneAlarm atleast, you could set up a hook for RPC calls, then add/remove entries to the ZA list, at the same time recording what information is sent & received with the API.

all a programmer has to do then is replicate these calls with their own choice of entries in order to bypass the firewall.

i've discovered ways of how to bind to the RPC server of ZoneAlarm & send/receive some data, but i never hooked any API.

i may get around to it over the holidays.

of course, i was thinking of a scenario where the trojan is already installed, & trying to access the internet outside the local network without the user knowing.

and no, i'm not writing a virus :P
i was just doing some research on ZA few months ago.

Zab

Hi Lush,

I'm a little confused as to what exactly you are talking about.

Are you talking about NAT as it would come configured on a SOHO router (netgear etc)?

Are you assuming that the user has setup static NAT entries so that they can host some services, or just the dynamic entries made while browsing the internet etc?

When you say the packet isn't checked for the port that it actually wants to send the data to, but just the header information, what process is unpacking the packet and resending it?