[Snort-users] RE: NAT Penetration Techniques

J. Craig Woods drjung at ...2066...
Wed Mar 6 12:18:25 EST 2002


Basil Saragoza wrote:
> 
> Would it be correct to say that (theoretically at least)
> If I see in snort lan sensor attacks on my lan workstations it mostly means
> that the 'initiator' is local workstation and not the external address cause
> people from outside wouldn't know that ws ip is 10.0.0.234. This is the
> indication that trafic was routed back to that 'initating' lan workstation,
> and not indication that someone somehow bypasses my NAT on fw.

No, that would not be a good assumption to operate on. Theoretically,
almost anything is possible when it comes to networking. You must
explore the attacks to see if maybe they are false but it is possible to
attack one of your internel machines from an externel source. Remember
that your firewall will be doing the translation on the NAT ip back to
the local machine ip. Therefore, you could be attacked on a local
machine with NAT sending the attack back to the original ip address for
the local machine. NAT does *not*, in and of itself, save you from an
attack on a local machine. Remember that ip header flags are set by
orinating machine. If I go out to the internet, asking for a connection
to some external maching, I am creating a "hole" in the firewall, and it
is not necessary for the external machine to "know" my private ip
address.

Hope this clarifies (as opposed to obfuscating)...

-- 
J. Craig Woods
UNIX/NT Network/System Administration

-Art is the illusion of spontaneity-




More information about the Snort-users mailing list