some may enjoy this quick read on NAT firewalls and bypassing security from a security-forums.com post....
by danielrm26
"This is one of the *secret* mysteries that seems to come up over and over.
First of all, the way that the vast majority of compromises take place is by someone running malicious code themselves - an email virus, a browser exploit, p2p, etc. This is the easiest way to both get tore up, or tear up someone else's system.
The brute force "penetrations" that people hear about (when they are even possible) are extremely non-trivial.
NAT, for example, is a very strong layer of protection because of how it is set up. It's a brick wall, basically, until you tell it to pass a given type of traffic inside. In other words, if you don't tell it to send web traffic to a specific internal host, how is it going to know what to do with it? It won't. So it just drops it - that is why it is good protection. It needs to be told what to do with traffic explicitly, and in the absence of such direction the traffic is useless and harmless. It receives traffic of whatever type, checks its rules to see if it matches any of them, and goes from there. If it doesn't find any rules then there isn't much of anything that can happen - the traffic gets dropped.
Now, once a connection is established you have a different story. It's still very hard to hijack a connection or confuse the state-monitoring engine of a given system, but it's a billion times easier than getting a piece of NAT software to send traffic to a place it doesn't know how to.
Similar to trying to bypass a NAT device is trying to "hack" a closed port. There simply isn't a path into anything listening in these cases. In order to exploit something you must be able to interact with it, or, to be more clear, be able to send it input that causes it to do something. When you send traffic to NAT software with no forwarding targets or ports with nothing bound to them, there is precious little that can come of it.
One major key to securing your systems is protecting what is listening. A machine with no services running is virtually the same as a machine that isn't on when it comes to attempting active exploits against it. Or, to put it another way, you have roughly the same odds of executing an SSH vulnerability on a tree stump or a bag of gravel as you do a machine with no SSH daemon running.
So, to answer your question, it is extremely hard to do what you are asking due to the principals I have mentioned.
Exploits are easiest on large, complex, code bases where there is multiple types of input and complex things that must be done with that input. A routing table, a NAT device, or any other relatively simple system which doesn't allow for much variation in how it is communicated with is *far* more difficult to have an effect on in any way - malicious or otherwise."
security-forums.com |
