PDA

View Full Version : NAT Servers will not play nice with eachother



erauqssidlroweht
07-24-2004, 01:03 AM
I have a cable modem directly connected to the internet, it feeds the internet connection to my first NAT server, a NETGEAR WGR614 4-port router. I have DCHP services configured on the NETGEAR router. On port 3 of my NETGEAR Router I have a Novell Netware computer running OS 5.2. I have set up NAT on the Novell box and it serves to a hub and that servers to a 386 running Redhat Linux 6.2.

EXAMPLE
WWW
|
|
Cable Modem
|
|
(24.119.*.* DHCP)
NETGEAR
(192.168.0.1 DHCP)
|
|
(NETGEAR Router Binds MAC address to Static IP 192.168.0.3)
Novell Netware 5.2 NAT Server (No BorderManager)
(Novell Private Network 192.168.1.1)
|
|
4-Port HUB
|
|
Linux & Windows XP boxs (Not able to get out to 24.119.*.* network)
(192.168.1.2)

From the Linux machine I can PING the Novell NAT Server, and I can PING the Netgear Server, but I can't get past the netgear router to the outside world.
I've connected a Windows XP box and have tried diffrent configurations but it has the same effect.

I am able to logon to my NETGEAR router and configure it from my Linux box however, I have been unable to connect to the internet.

Any computer directly connected to the NETGEAR router has access to the internet. (Including my Novell Box) I've check NETGEARS site but I there must be a configuration I'm missing.

pave_spectre
07-24-2004, 01:33 AM
Is there any reason you need to run Double NAT?

erauqssidlroweht
07-24-2004, 04:34 AM
Our college instructor has challenged us to make a network that is rock hard as far as security, with a minimum of network equipment, with the most services running. (Services being anything network serving.) We will start the class by cracking what others have made. I am hoping that should anyone be able to gain root access on my Linux box that they will be unable to RPM, telnet, ftp, ping, vi, or any major function but disable/change my apache served website. The NAT server provides a extra layer of complexity. Some of my fellow class mates may be knowledgeable of Linux/UNIX but some may stumble when it comes to Novell cracking. Plus later I will implement IPX as the only protocol that side of the network. The other computers are not going to be very secure (hey it's windows) plus wireless is not known for being the best for security.

REQUIREMENTS:
386 w/ 24MB RAM
233 PII running un-patched/un-service packed/un-updated out of the box OS
Wireless WLAN Laptop running un-patched/un-service packed/un-updated OS, or drivers.
All computer must have workstation and Internet access. (AKA So a student could use the computer in a college environment.)
(No hardware locks, and assume cracker will have physical access)
Other hardware has to be approved by Instructor

SERVICES I'm working on implementing:
DNS, DHCP, Apache Webserver, NAT/IP Forwarding/Masquerading, email server, news server, Dial up access, remote access, SSH, TFTP, SMTP, AntiVirus server, BIOS Passwords, WPA-PSK/WEP 128, etc

SERVICES considering:
Trillian (ICQ, MIRC, MSN Mess, AOL mess, etc), WinMX,

SECURITY CONCERN:
BIOS Cracks/Physical Access, Wireless Hijacking, MAC Spoofing, ZoneAlram DoS attacks, Apache DoS attacks, Windows Media Player/Active X,

------------------------------------------------

Any suggestions would be great. But I'm still stuck on this problem.
Here are my NETGEAR SETTINGS:

Port Forwarding
1 HTTP 80 80 192.168.0.3
Port Triggering
NONE

Connect Automatically, as Required YES

Disable SPI Firewall NO

Default DMZ Server NONE

Respond to Ping on Internet Port NO

MTU Size 1500

RIP Direction None
RIP Version Disabled

Use Router as DHCP Server
Start 192.168.0.1
End 192.168.0.3

Address Reservation
1 192.168.0.2 XP 00:00:5A:51:42:C9
2 192.168.0.3 NOVELL 00:00:44:16:C1:92

UPnP OFF

Wireless Router Settings
Wireless Router Radio DISABLED
SSID Broadcast DISABLED

Use a Dynamic DNS Service NO

Static Routes NONE

Turn Remote Management On NO


Attached Devices
1 192.168.0.2 XP 00:00:5A:51:42:C9
2 192.168.0.3 NOVELL 00:00:44:16:C1:92


System Up Time 04:30:54
Port Status TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time
WAN 100M/Full 10522 368493 0 0 6437 04:30:54
LAN 10M/Half 24653 24780 0 4653 2336 04:30:54
WLAN 11M/54M 1609 93734 0 0 0 04:30:54


Running the newest Netgear Router FLASH Upgrade.

pave_spectre
07-24-2004, 06:18 AM
I am hoping that should anyone be able to gain root access on my Linux box that they will be unable to RPM, telnet, ftp, ping, vi, or any major function but disable/change my apache served website.

If someone manages to grab root access they can do whatever the heck they want.


The NAT server provides a extra layer of complexity.

And extra headaches for you. Doublle NAT won't mean a thing if
(No hardware locks, and assume cracker will have physical access)
also includes the servers. You're starting with one hand tied behind your back right there.

What little I know about double NAT makes me want to avoid it like the plague. It seems to require static mappings to allow access between the remote networks.

I can't help with novell settings since I have never even touched it.

If your using your linux box as server, look into running any services in root jails.

erauqssidlroweht
07-24-2004, 12:32 PM
Yes, your right. If the cracker has root access there really isn't a lot I can do. However, I have made it very difficult for anyone who does because I have Conceal the binary RPM, vi, ping, etc.
Example: [root@386] /# mv /bin/rpm /mnt/floppy/

This is buy no means an uninstall, its just a move. I want to move the utlities from the hard disk to floppy. I will have the floppy thus I can move and edit as I please. (One more leval of complexity)

Thanks for the suggestion on root Jails, I will have to impliment it on my system (hopefully it will not bog things down too much).
------
If this truley is a routes issue how is it that I am able to connect and edit my router settings behind my Novell NAT server? I suspect something is not getting changed when it goes to the router. But I have no documentation from NETGEAR to aid me in this endeavor.

However, at this point it could be anything. So here are my Novell settings (inetcfg).
Boards - Both Enabled
Network Interface - Media Ethernet
WAN Call Destinations - Empty
Backup Call Associations - Empty
Protocols - TCP/IP Enabled
-TCP/IP Statues - Enabled
-Ip Packet Forwarding - Enabled("Router")
-RIP - Disabled
-OSPF - Disabled
-LAN Static Routing - Disabled
-SNMP Manager Table - 127.0.0.1
-DNS Resolver Configuration - Empty
-Filter Support - Disabled
-NAT Implicit Filtering - Enabled
-Directed Broadcast Forwarding - Disabled
-Forward Source Route Packets - Disabled
-Etc
Bindings
-TCP/IP KTC120_1 Enabled 192.168.1.1
-TCP/IP KTC30_1 Enabled -
-NOTE: The reason there is no IP address is because I've
recently tried running DHCPCLNT in hopes that my NETGEAR Router
would DHCP a working IP address. (Both static and DHCP have the
same results.)


Does that give anyone any ideas?

Variable
07-24-2004, 01:37 PM
I think your idea of double NAT is, likewise, not worth the effort. First off, your entry point is the firewall on the router, this has to be the most secure, so the most thought should go into it. I would set up some good ACL's on the router(firewall)including only allowing the MAC address of your known NIC's to have access.I would deny/deny and only open holes for specific internal machines, do you have to use DHCP? If you do, you could simply set the ip range to 3-4 addresses or however many you need and then use the numbers as part of the acl, if you use both the IP and mac as part of the ACL it will help mitigate spoofing of one or the other.. Bump the encryption standard for wireless to 128. Don't broadcast the SSID, can you set up a vlan for your wireless conenction? Use LONG usernames and passwords for all machines. Like the first sentence from a song you like or a poem and add some numbers, this goes for all your PC's and servers. Don't forget to change the username and password of telnet access to the router.

You just know someone will try and access windows from hidden admin shares, so remove them link (http://support.microsoft.com/default.aspx?scid=kb;EN-US;318751). Change the admin username and pw. Don't use IE as a browser.

You can make your machines secure, one of my instructors in security had a standing bet that he would add exams to both his classroom machine and home server 3 days prior to the exam date. If you could hack it and get the answers you got an A, as long as you showed him how you did it. No has ever done it.

I would also think about a honey pot, recognize how the attacks are going to come in and use the honey pot as a trap. I think your biggest hole is somone sitting at the machine trying to hack it. Securing network access should be the easiest thing.

Anyway, just a few thoughts. V

pave_spectre
07-24-2004, 09:05 PM
If this truley is a routes issue how is it that I am able to connect and edit my router settings behind my Novell NAT server?

From the little I read, getting from one network to a directly connected network is no problem. In your case that would be from the novell network to the intenal netgear network, or from the netgear network to the internet. But getting between indirectly connected networks requires the static mappings, ie from the novell network to the internet. Since your netgear configuration would be internal, accessing it from the Novell side should not be a problem.

But like I said I only read a little. Wish I could be more help on this matter.

I can offer an example of my own home network, don't know if it will provide useful ideas.

My base setup uses a Smoothwall box with three network cards as router/firewall to seperate servers from the internal network but permit access from outside. It's setup using a system of Red/Orange/Green interfaces.
Red is the external network and connects to the modem. Can be configured statically, dynamically or for PPPoE. Without specific rules all access from this network is denied.
Orange is the server network, and no computer on this network is permitted access to the internal network. External ports (web, ftp etc) are usually forwarded to IP addresses in this network.
The green network is where all "trusted" workstations are connected.

The one issue I see with this is that I believe machines in the Green network may have trouble accessing certain things in Orange. Which means if the servers need to be accessed by internal machines this setup won't work for your situation. I can't test this theory since my own Orange network card needs replacing and my server is down for maintenance. :rolleyes:


-EDIT--
THIS (http://www.netfilter.org/documentation/HOWTO/netfilter-double-nat-HOWTO-4.html) was one of the links I found about how a Double NAT works. By no means comprehensive.

juniper
07-25-2004, 07:53 AM
LAN Static Routing - Disabled

enable static routing then under that configure your default gateway on the Novell server hehe. This is why you can only get to directly connected networks the novell server does not know what to do with other routes and drops it and does not forward to the netgear. Ive setup novell double NAT/PAT behind PIX, IOS firewall, sonicwall ( the reason I do this is when setting up new servers for clients at the office I can test firewall so I do it alot) and have had no issues at all using netware 5.0,5.1,6,6.5 (there is no 5.2). If you have to use an OS right out of the box use the small business edition it comes with bordermanager firewall and you can enable authentication proxy from an IPX network that gets NAT/PAT to IP on its outside interface. the problem here is if you have to have a web server behind the novell server it will need IP to be accessed so a pure ipx network is out of the question. also put a sniffer on the outside interface of the netware box and verify PAT is working. as for passwords dont use any words from the dictionary (dictionary attacks only take minutes to break at the most) turn off SNMP or use version 3 which is encrypted, dissable rconj and rconsole or use encrypted password, do not bind ipx to the outside interface, make sure passwords are 8 char or longer with symbols concatenated between words this will add a week or more to a password cracker. since you are unfamiliar with netware do an advanced install and deselect everything you dont need installed.

juniper
08-03-2004, 07:57 PM
was just browsing forums and remembered one more thing that you should do. on the router create acls on the outside interface for 127.0.0.0/8, 0.0.0.0/32, 192.168.0.0/16, 224.0.0.0/8, or route to go to 0.0.0.0 or null0 (leaving out internal networks if using routes). These are anti-spoofing ACLs create these on anything acting as a router ( such as the novell server) changing the 192.168.0.0/16 to the internal protected network address.

Variable
08-04-2004, 09:28 PM
ACL's for a cisco router are like acl#-argument-protocol-source-destination. At least thats how I add them, how do you "send" packets to a null?

juniper
08-05-2004, 09:18 AM
in my post I have use an ACL "or" route to null0

you send packet to null0 with a route ie..

on a cisco router
ip route 127.0.0.1 0.0.0.0 null0

or you can use route maps like this one that will only block 92byte icmp packets that are used by nachi virus but still allow all other icmp..

access-list 190 permit icmp any any echo
access-list 190 permit icmp any any echo-reply

route-map nachi-worm permit 10
match ip address 190
match length 92 92
set interface Null0

Using a route to Null0 is less intrusive to the router because it is just routing the packets to a black hole not actualy trying to fend them off as when the router gets a matching ACL for a packet it uses memory and CPU to examine the packet to find out what to do with it, so just routing it makes a DoS harder to accomplish on the router.

Also routing to null0 is very common on backbone internet routers, why? well lets say I have a core router that is supernetting, I would route that supernet to null0 (I know sounds wierd ) but actualy you do this incase one of the ckts start flapping (going up and down), BGP that is propagating the supernet will not flap to your EBGP peers, as null0 is still up so the route didnt flap and BGP is not constantly updating to the peers (other ISPs) the only device that has a flapping route is your supernet router so your external peers are not having their routers pounded by updates. during normal operation when the router gets a packet to a subnet of the supernet it will use the more specific route sending it on its way but if the subnet is down it will not have a more specific route and will just dump the packets to null0.

Pretty cool ya think :)

Variable
08-06-2004, 10:05 AM
Yea, some rusty clanking can be heard from my brain, I seem to remember routing to null for OSPF. It make sense that it is faster to route to Null then checking the ACL. I got a job with an ISP and im getting a crash course in all kinds of routing issues. BGP seems to be the standard.

juniper
08-06-2004, 11:38 AM
hehe you will love it!! congratz on the job. I worked for the largest ISP in the world for several years as a tier3 internet operation engineer, we where cisco's training ground for MPLS. You will find that BGP is not only common it is the only way to fly at the ISP level it is the routing protocol for the internet period, all backbone ISPs run BGP, believe me I did the BGP peering. you will have an IGP (interior gateway protovcol) which will be OSPF or IS-IS ( we used IS-IS cause OSPF was not scalable enough for us also OSPF has what is known as meltdowns) then you have an EGP (Exterior gateway protocol) which will be BGP. so you really have a tiered setup whith static routes being redistributed to the IGP then the IGP redistributing to the EGP. the BGP that runs in your AS is called iBGP and the BGP that connects the ASs is known as eBGP you will also learn mBGP (multicast BGP). BGP has to be fully meshed so instead of physicly running cable meshing all the routers you use what is called a route reflector. the cool thing about working for an ISP is you get to use Juniper routers (wonder how I came up with my login name gee hehe) they run on BSD and are the shizznitz of routers we where making olives for home practice (Ill let you figure out what an olive is ) a hint is that M-160 the M stands for martini), you also get SONET experience out the wazzooo. LOL! hope you like bsd and linux the ISPs do hehehe

Variable
08-06-2004, 11:57 AM
No I don't especially like Linux, well, I don't like the CLI. We have just about everything running, even a G5 we taught to respond to basic speech commands. The data center is a little overwhelming. All part of the learning curve. I just got the word yesterday I am going to be tasked with understanding and pushing out Windows updates to all the Windows servers, I immediately got heartburn.

juniper
08-06-2004, 01:40 PM
You using WUS to push out or SMS or altiris?
when I worked in the NOC we had three engineers on shift at a time we only worked on core,wan, and border routers thats it. we used all linux/bsd boxes which is kool cause we had one poll the 600+ routers we where in charge of every 4 hours and if changes where made it would save the new config then we could diff and grep the changes from the old configs. juniperr routers had 10gig hard drives and you can roll back the config upto 10 changes back. you make changes in a text editor then have it check syntax and compatibility before applying changes they are sweet. anyway If you are doing BGP Ill post a good book for youto read on it. cant remember the author right now.

Variable
08-06-2004, 02:52 PM
Right now it is all done manually, terminal services in and patch them. Up to now this has been doable, now things are to the point where it may be smarter to look at a different strategy. They don't want to spend the money on SMS, I know this already. Since I will have input I'm open to suggestions. I have been thinking about WUS.

juniper
08-09-2004, 09:05 AM
WUS or SUS is your only good option if you have a dedicated box you can put IIS on.