Download Network Address Translation - Not a Security Panacea

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Wireless security wikipedia , lookup

Universal Plug and Play wikipedia , lookup

Parallel port wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript 
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsec
Network Address Translation – Not a Security Panacea
Timothy W. Foreman
November 9, 2000
Abstract
ull
rig
ht
s.
Many end-users and computer professionals consider themselves secure when sitting behind a device that performs
Network Address Translation (NAT). This security assumption is flawed in several ways. I intend to demonstrate that
NAT, in and of itself, should not be considered a security strategy.
What is Network Address Translation?
Network Address Translation (NAT) is defined in RFC 1631.
ins
f
NAT was initially created to solve the problem of running out of IP address space due to the explosion of the Internet.
NAT is primarily a method of creating private networks of non-routable addresses behind a device that translates
these addresses into routable, public addresses to traverse the Internet.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
rr
eta
Many people feel that a secondary benefit is that the internal network devices are effectively masked. External
programs and "Black Hats" cannot see the internal devices.
ho
Or can they?
ut
Definition of Terms
5,
A
First, lets define some terms so we are talking about the same things:
00
NAT Device
00
-2
A device that performs Network Address Translation. These devices are varied and can
range from a CheckPoint Firewall, a Linux box running IP Chains or a Cisco 675 DSL
Router.
20
Non-Routable Address
tu
te
Any IP address selected from the range of addresses defined as non-routable or private in
RFC 1597. These addresses are for use on a private network and should never be used
on a device that is attached to the Internet. (10.x, 172.16.x – 172.31.x, 192.168.x)
sti
Internal Side
NS
In
The side of a NAT device that consists of devices with non-routable (private) IP
addresses.
SA
External Side
Outbound Mode
©
The side of the NAT device that is connected to the Internet (or another network.)
When a NAT device is configured to translate internal side addresses to external side
addresses, but not to allow external addresses to initiate a connection to any devices on
the internal side.
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Bi-directionalKey
Mode
When a NAT device is configured to translate specific ports and/or addresses on the
external side to internal side ports and addresses thus allowing sessions to be initiated
from the external network. Also known as Port Address Translation (PAT).
NAT can be used in several different modes
© SANS Institute 2000 - 2005
Author retains full rights.
When NAT is used in Outbound mode, no ports are open for new sessions to be initiated to devices on the internal
side of the NAT device. However, this does not completely mask the internal devices. When an internal device
initiates a connection to a resource on the external side, the NAT device will allow all packets for this session
through to the internal machine. (Provided that the communication continues on the same ports.)
This has several security implications:
rr
eta
ins
f
ull
rig
ht
s.
1 . If a user on the inside initiates a connection to a web site that hosts a malicious application there is nothing on
a NAT device that will block or filter the packets that return.
2 . There is nothing on the NAT device that will keep "friendly" or malicious applications on an internal host from
initiating connections to send data to or request data from an external host. There are many documented
"friendly" applications that send information to hosts on the Internet. This could be information that you don’t
want distributed.
3 . NAT does not mask your host information. For example, I run NAT on my home network behind a Cisco 675
DSL router. We are testing Windows Streaming Media at my office. Looking at the log files for the Windows
Streaming Media server, I noticed that the entries for my machine contained not only the name of my
computer, but also it’s internal, non-routable address and the version of the OS I am running. It’s very
interesting what you can find in the log files of servers for "friendly" applications.
4 . It is possible to forge the headers on an IP packet to make it appear that it originated on the internal network
fingerprint
AF19
2F94 998D
FDB5
DE3Dthis
F8B5
06E4
4E46
side. ItKey
is also
possible=that
theFA27
NAT device
may just
forward
packet
on A169
into the
internal side. This packet
could have a malicious payload. (Granted, this is pretty extreme.)
5 . Of course NAT provides no virus protection at all.
ut
ho
When NAT is used in Bi-directional mode, or Port Address Translation (PAT) mode, entries are created in a table on
the NAT device that map external addresses and ports to internal addresses and ports.
-2
00
5,
A
This allows you to setup valid Internet address and port entries on the external side of the NAT device that are
statically mapped to private address and port entries on the internal side of the NAT device. Thus you can have a
web server on the internal side at address 10.0.0.100 port 80 and have a valid Internet address on the external side
of 208.98.45.1 port 80 mapped to it. Any session that is initiated to the external address on port 80 would be
forwarded to port 80 on the internal address. Any sessions attempting to connect to other ports that are not explicitly
mapped are rejected.
00
Why is this not a valid method of securing your network?
20
On the face of it, this seems pretty secure. However, if we look a little harder, we can find some holes.
tu
te
First off, you still have all the issues associated with Outbound mode as shown above.
sti
However, the biggest hole is that you are allowing connections to be initiated to a server on the internal side from the
external side.
In
But, you say, what good is a web server if people can’t get to it? How can I get mail if I don’t open port 25?
©
SA
NS
Many people assume that if they are using NAT, they can forget about firewalls and DMZs and service networks.
What they tend to forget is that anytime you allow a session to be initiated from an external network you open
yourself up to attack. Many attacks come through the "well known" ports. Most networks are going to have a few well
known ports open, such as 80 for HTTP, 25 for sendmail, 20 and 21 for FTP, 53 for DNS, possibly 110 for POP, 143
for IMAP and maybe 23 for telnet. Many exploits are based on the fact that some versions of the programs that run
on these ports are insecure and have weaknesses that can be exploited. NAT does nothing to address this.
In addition, many NAT devices don’t log the connections from external addresses to internal addresses. If you are
depending on a Cisco 675 DSL router performing NAT to keep your network safe, you might be getting attacked and
not even know it.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Consider this scenario
I have a router that does NAT. I let in port 80 in to my Web server, port 52 in for DNS, port 23 in for telnet, and port
25 in to my mail server. I think that because I have NAT, and I have all other ports closed to the outside world I am
pretty safe. Because I feel safe, I don’t setup my web, DNS, telnet and mail servers in a DMZ or a service network, I
just hang them off the same wire as the rest of my machines. I feel pretty secure, after all no one can see the
machines because they are hiding behind a NAT device, so I don’t pay as much attention as I should to keeping the
© SANS Institute 2000 - 2005
Author retains full rights.
servers patched up to date.
Along comes a "Black Hat" who sniffs my network. He discovers that I have ports 80, 52, 23 and 25 open and
decides to look a little harder. He discovers that I am running RedHat 6.0 with BIND 8.2 for my DNS server and he
knows an exploit for it. This is easy enough to find out, there are plenty of tools that will connect to port 53 and ask it.
So, he fires up his tool kit and gets to work.
ull
rig
ht
s.
First he exploits my DNS server via buffer overflow attack. This gives him root access to the box and he installs a
couple of new accounts so he can login again later via the telnet port which I so thoughtfully left open for him.
Then he ftps to another server and downloads and installs a back door program that will give him access to the box
even if I discover and remove the new accounts.
Finally, he ftps to yet another server and downloads and installs the Trinoo client and starts it up.
ins
f
After he is all done with this, he cleans up his tracks pretty well by cleaning out the log files.
rr
eta
I have no idea that these events have occurred since I have no intrusion detection system, no logging on the NAT
device, and the
has covered
tracks
pretty
well.
I mayDE3D
not even
discover
it for a4E46
day or two and by then the
Keyhacker
fingerprint
= AF19his
FA27
2F94
998D
FDB5
F8B5
06E4 A169
hacker could have leap-frogged his way around my internal network or used my network as a base for attacks on
other networks. All through ports 53 and 23.
ho
Consider these other scenarios
5,
A
ut
One of your users happens to run across a web page containing cute little animated programs that she can run on
her machine, like "Elf Bowl". Unknown to this user, when she runs the program it installs a trojan on her machine that
initiates connections to a server on the external side to get instructions or download more code. Since these sessions
are initiated from the inside, the NAT box allows the code in and I won’t find out about it until it’s too late.
-2
00
And then there is always that one Executive who has to have a modem so he can dial into AOL to check his mail.
Modems present a perfect situation for a hacker to make an end-run around your NAT device (or firewall for that
matter.)
00
Conclusions
tu
te
20
NAT, in and of itself, is not a security strategy. Sure it helps by hiding all of your hosts. It closes all the ports that you
are not manually opening. But, as I hope I have pointed out, there are still outstanding security issues when using
NAT.
In
sti
Even when you are using NAT, you should have a firewall, a DMZ and an Intrusion Detection System. Otherwise you
are flying blind and the first sign that you have been hacked may be when your ISP comes calling asking why your
systems are assisting in a DoS attack.
NS
Sources
SA
Egevang, K. and P. Francis, "The IP Network Address Translator (NAT)", RFC 1631, May 1994.
URL: http://www.cis.ohio-state.edu/htbin/rfc/rfc1631.html (02 Nov 2000)
©
Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663,
August 1999. URL: http://www.cis.ohio-state.edu/htbin/rfc/rfc2663.html (02 Nov 2000)
Gibson, Steve. "The Anatomy of File Download Spyware" 10 Oct 2000
URL: http://grc.com/downloaders.htm (02 Nov 2000)
Spitzner, Lance.
Study of
an Attack
- Know
A Forensic
23 May
Key"The
fingerprint
= AF19
FA27
2F94 Your
998DEnemy:
FDB5 DE3D
F8B5Analysis",
06E4 A169
4E462000 URL:
http://www.enteract.com/~lspitz/papers.html (06 Nov 2000)
© SANS Institute 2000 - 2005
Author retains full rights.
Last Updated: May 8th, 2017
Upcoming Training
SANS Security West 2017
San Diego, CA
May 09, 2017 - May 18, 2017
Live Event
SANS Northern Virginia - Reston 2017
Reston, VA
May 21, 2017 - May 26, 2017
Live Event
SANS London May 2017
May 22, 2017 - May 27, 2017
Live Event
SANS Melbourne 2017
London, United
Kingdom
Melbourne, Australia
May 22, 2017 - May 27, 2017
Live Event
SANS Stockholm 2017
Stockholm, Sweden
May 29, 2017 - Jun 03, 2017
Live Event
SANS Houston 2017
Houston, TX
Jun 05, 2017 - Jun 10, 2017
Live Event
SANS San Francisco Summer 2017
San Francisco, CA
Jun 05, 2017 - Jun 10, 2017
Live Event
Security Operations Center Summit & Training
Washington, DC
Jun 05, 2017 - Jun 12, 2017
Live Event
Community SANS Ottawa SEC401
Ottawa, ON
Jun 05, 2017 - Jun 10, 2017 Community SANS
SANS Rocky Mountain 2017
Denver, CO
Jun 12, 2017 - Jun 17, 2017
Live Event
SANS Charlotte 2017
Charlotte, NC
Jun 12, 2017 - Jun 17, 2017
Live Event
SANS Rocky Mountain 2017 - SEC401: Security Essentials
Bootcamp Style
Community SANS Portland SEC401
Denver, CO
Jun 12, 2017 - Jun 17, 2017
vLive
Portland, OR
Jun 12, 2017 - Jun 17, 2017 Community SANS
SANS Secure Europe 2017
Amsterdam, Netherlands
Jun 12, 2017 - Jun 20, 2017
Live Event
SANS Minneapolis 2017
Minneapolis, MN
Jun 19, 2017 - Jun 24, 2017
Live Event
Community SANS Philadelphia SEC401
Philadelphia, PA
Jun 19, 2017 - Jun 24, 2017 Community SANS
SANS Columbia, MD 2017
Columbia, MD
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, Australia
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Paris 2017
Paris, France
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS London July 2017
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
London, United
Kingdom
Tokyo, Japan
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, Singapore
Jul 10, 2017 - Jul 15, 2017
Live Event
Community SANS Minneapolis SEC401
Minneapolis, MN
Jul 10, 2017 - Jul 15, 2017
Community SANS
SANS Los Angeles - Long Beach 2017
Long Beach, CA
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, Germany
Jul 10, 2017 - Jul 15, 2017
Live Event
Community SANS Phoenix SEC401
Phoenix, AZ
Jul 10, 2017 - Jul 15, 2017
Community SANS
Mentor Session - SEC401
Macon, GA
Jul 12, 2017 - Aug 23, 2017
Mentor
Mentor Session - SEC401
Ventura, CA
Jul 12, 2017 - Sep 13, 2017
Mentor
Community SANS Atlanta SEC401
Atlanta, GA
Jul 17, 2017 - Jul 22, 2017
Community SANS
Community SANS Colorado Springs SEC401
Colorado Springs, CO
Jul 17, 2017 - Jul 22, 2017
Community SANS
SANSFIRE 2017
Washington, DC
Jul 22, 2017 - Jul 29, 2017
Live Event
Related documents
Instructor Rubric for Presentations
Instructor Rubric for Presentations
WWW Lab1
WWW Lab1
Document
Document
CFP - IEEE SMC 2017
CFP - IEEE SMC 2017
Mini EURO Conference on Operational Research in Computational
Mini EURO Conference on Operational Research in Computational
Slide 1 - AccessAnesthesiology
Slide 1 - AccessAnesthesiology
Third International Conference on Signal and Image Processing
Third International Conference on Signal and Image Processing
- AAP Red Book - American Academy of Pediatrics
- AAP Red Book - American Academy of Pediatrics
Slide 1 - AccessPharmacy
Slide 1 - AccessPharmacy
Summer Assignment for AP Economics (AP GEM)
Summer Assignment for AP Economics (AP GEM)