Thread: 192.168.0.x Hackable?!
View Single Post

   
  #4 (permalink)  
Old 02-19-2008, 11:31 AM
George Georgakis
 
Posts: n/a
Default Re: 192.168.0.x Hackable?!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PackMule <packmule13@yahoo.com> wrote:

> I have a Slackware (9.1) box set up that only has one IP of
> 192.168.0.96. I have been under the impression that this is safe from
> the outside world because it's not a routable address but someone I
> know who I've always respected says that it's not safe. I still keep
> pretty up to date with patches and whatnot but would be interested in
> finding out who's right. If I am wrong I guess I'll have to start
> paying a little more attention.

Quoting from http://www.dalantech.com/boards/showflat-Cat--Board-
networking-Number-30916-page-1-view-collapsed-sb-5-o--fpart-1.html:

Dalantech: "I often get asked "If I have NAT, then why do I need a
firewall?". I posed the same question too Da Fade and asked him if
he could give me a really good response -here is his reply:"

Da Fade: "Easy answer ... NAT isn't a firewall. Does it block ports
by default? No. Does it prevent Denial of Service? No. Most importantly,
does it perform connection state inspection? A big NO!

Example: Mr. Joe Unprotected goes browsing out on the net. He starts a
telnet session out of his NAT protected device. He ends his session.
Guess what? The mapping for his session is still on the unit. It hasn't
yet timed out.

Enter Joe Hacker. He starts to do some port scans on Mr. Unprotected and
runs into a port allowing him in. Joe thinks, "Hmmm, weak firewall." Joe
has some fun playing around on hosts for a while through 'holes' made by
the users behind the NAT device. Eventually Some of the ports begin to
timeout (the NAT mapping has reached the end of its life). This upsets the
hacker greatly. In response, he decides to kill Mr. Unprotected's bandwidth
with some Denial of Service attacks.

The attacks are highly successful. Mr. Unprotected loses hours of service,
and tons of money, because he wasn't smart enough to believe what everyone
was telling him .... NAT is no substitute for a Firewall.

What I'm saying is that even though Joe Hacker can't see the private IP
addressing on the inside, that doesn't mean he can't access the inside
network. NAT will happily reverse the mapping as traffic flows in from the
public network as long as it has a map already, even one that's temporary.
Some NAT devices have ungodly long timeout values.

Spending a little extra for REAL security will make the difference between
real protection, and a thin candy shell called NAT."

- --
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQKP5hklp3nJf7PixEQK7jQCeLnAT+fS44cejg6ft2Itnfk sh7a8An3OF
S8e+48YeWlpoLNKjVMQegPqj
=kFq2
-----END PGP SIGNATURE-----
Reply With Quote