How someone would go about exploiting a vulnerability within a LAN sitting behind a router running NAT/NAPT...where would you start? Hacking the open port? Routing Tables? Accessing remote administration on the modem? (disable NAT)?? bah...
MY SYSTEM/SETUP: I have 1 XP SP2 Machine running providing PPTP VPN connections and a Webcam Security System (webcamxp) Forwarded Ports 1723/GRE/7 for the VPN and just 81 Webcamxp plus 82 if I needed sound.... I use dyndns to link a hostname to my Internet IP
PEN TESTING: (With NAT) If I run a Security Scan on my host name (myhostname.dyndns.org) using LAN Guard Network Security Scanner with NAT/NAPT ON forwarding ports to 10.0.0.*** (XPBOX) the scanner doesnt find any computers or return any results....
(Without NAT) If I place my XPBOX into a DMZ (aka Default NAPT - on a Speedtouch 530) and run a scan from the outside I can see all my open ports 1723-XPVPN -81 WebcamXP -80 Apache etc aswell as a list of all possible exploits....
THOUGHTS: So having NAT/NAPT enabled is definately good but how would one go about gaining access to the LAN....would remote administration have to be turned on for someone to change modem settings ie put a workstation in DMZ???
MORE PEN TESTING: The only way I can see someone gaining access is by attacking webcamxp. There are vulnerabilities in the sanitization of chat text and cross site scripting vuln e.g.
Although these vulnerabilities appear to now be patched.....what other options would one have?? PTPP VPN Hacking.....is possible but I'm using MS-CHAPV2 which is supposedly pretty hard to crack....MS-CHAPV1 is supposedly fairly easy but still one has to do a fair amount of work to orchestrate this attack.
HOW SECURE AM I?
User "Alfred50" wrote: Interesting question...but there's a key point that you haven't addressed. That is: "Is your specific network/organization being targeted?" or "How resilient is your network and users (key point: users) to all of the various spyware and worse running around out there?"
In my experience, the people who are REALLY out to target your network are (as alfred50 pointed out) more likely to be subject to social engineering and the like. OR...they are going to be very sneaky.
So would you be so kind as to describe what sort of vulnerability or attack you are most concerned about?
Then we (collectively) can give you a better feel for the risks you face.
On a somewhat different tangent (although not entirely), I'm more concerned about spyware, peer-to-peer (P2P) applications putting trojans into your network, apps like Skype which promise free phone service, but silently use your system to process their calls, and the like.
The lure of "free" has gotten many an organization into trouble.
User "Ultrix" wrote: The definition of a DMZ is that there is no default port filtering, so it makes sense that a default set-up would show the port scanner all of your open ports.
There is a windows port of Snort that is pretty good. The configuration of snort, or any other network IDS is key, though. If you want to warrant or guarantee the configurration, prepare to read a lot about snort (lucky there are several books on the subject), or to pay a non-trivial amount for it.
Merely to install Snort is not exactly a walk in the park, either. There are 8 other packages that need to be present for snort to work. There is a lot of info on the web about it. Set up a test machine in the same environment and play on it until you are happy, then do the production install.
Your biggest danger is still probably from an insider at your organization. - Either accidentally or purposefully giving out sensitive material or misconfiguring the software on the server or some other machine in the LAN.
Read this entire discussion in our ITKnowledge Exchange.