14

If I own a private IP address, 192.168.2.1 for the sake of it, and I am physically connected to my router, which it's internal interface is 192.168.2.254 and it's external interface is some public IP address which it got from my ISP's DHCP server.

Obviously my IP is being translated over NAT so I can surf the internet.

So how can someone hack into my computer?

Looking at it from the OSI model perspective:

  • Layer 1 - Irrelevant
  • Layer 2 - ARP attacks, only people who live in my home and share the same network, irrelevant for the sake of discussion
  • Layer 3/4 - Well, my IP is a private one, so people can't really probe me for open ports and vulnerabilities, right? They can probably probe my router, but it's just a "ISP smart box", which isn't really a router (although it operates also as a Wifi AP, so people will need to crack it in order to get something done)
  • Layer 5 and up - These are the only layers which I will be vulnerable to an attack, am I right? Ranging from XSS, to some other things?
grg
  • 155
  • 1
  • 1
  • 8
Franko
  • 1,530
  • 5
  • 18
  • 30
  • 1
    Seems like a duplicate of [How important is NAT as a security layer?](http://security.stackexchange.com/q/8772/971) and [What kind of attacks against home router's NAT do exist?](http://security.stackexchange.com/q/7911/971). – D.W. Feb 19 '12 at 07:09
  • Just a side note, the OSI model is largely irrelevant. It is a misconception to apply it to current networks, mostly based on TCP/IP. – AviD Feb 28 '12 at 15:44

2 Answers2

13

Generally speaking, most NAT boxes also happen to provide some firewall-like protection: they tend to block incoming connections.

This is not an inherent or necessary property of NAT; it is just that most consumer devices that provide NAT also happen to provide this sort of firewalling as well. (Technically speaking, NAT does not necessarily imply any blocking of incoming connections.)

Nonetheless, for NAT devices that do block inbound connections (i.e., most of them), you do get some of the benefits of a firewall. This makes it harder for someone to connect to your PCs behind the NAT and attack them. In practice, this provides a sort of "poor man's firewall" that works pretty well against a common class of attacks.

However, NAT is far from a silver bullet. People can still compromise your PC, even if your NAT, in a variety of ways:

  • A malicious website could exploit a vulnerability in your browser, a malicious email could exploit a vulnerability in your mail client, a social engineering attack could trick you into revealing your password or installing malware, a file you download over a file-sharing network could be malicious, and so on.

  • An attacker could attack your NAT box directly, e.g., by exploiting an open Wifi link, by drive-by pharming, by guessing your NAT box's administrator password, etc.

  • An attacker could fool your NAT into allowing an inbound connection, using the NAT pinning attack. This is basically a technical vulnerability in NAT boxes which illustrate that their incidental connection-blocking can in some cases be defeated.

For more detailed elaboration on all of these points, I recommend you read the answers to How important is NAT as a security layer? and What kind of attacks against home router's NAT do exist?. There is a lot of good information there.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
3

Layers

I don't think looking at OSI layers is useful here. You're likely not vulnerable to layers below the IP protocol, since the internet only routes IP. And you're potentially vulnerable on all layers above. In practice most vulnerabilities are at the application layer.

I'd rather look at the problem by separating it into incoming and outgoing connections.

Outgoing connections

NAT doesn't interfere with those, apart from rewriting the IP address. If you're vulnerable without NAT, you're vulnerable with NAT in most cases here.

Typical vulnerabilities are buffer overflows in applications you use to access the internet. In particular in your browser, or in browser plugins.

Incoming connections

NAT by default blocks all incoming connections from the internet. This means if you're running some kind of server on your computer, it will not be accessible from the internet, and thus can't be easily exploited from there. This is mainly useful for servers, like windows filesharing.

But you don't need NAT to get this. You could just as well use a firewall that blocks incoming connections.

Conclusion

The main thing NAT gains you in terms of security is blocking servers you run accidentially.

Defining incoming/outgoing connections for UDP is a bit harder. But since hole-punching requires your computer to send messages before being able to receive messages from a certain peer, counting those connections as outgoing works in this context.

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
  • So what measures do I need to take in order to secure my PC according to your answer? Just keep my OS up to date and have a functional AV software? – Franko Feb 17 '12 at 10:58
  • 1
    Pretty much keeping everything that's exposed to the internet up to date, and if possible sandboxed. But "How to keep my PC secure?" is a different, unrelated question. – CodesInChaos Feb 17 '12 at 11:01
  • Having an access control list set up to block all incoming connections is useful, but not a default or inherent property of NAT. – Rory Alsop Feb 17 '12 at 11:37
  • @Rory All NAT systems I've come accross(only home routers) block incoming connections unless you specifically forwarded a certain port. This also seems very natural, since how would the router know to which PC an incoming connection on a certain port should go to, unless you tell it explicitly. – CodesInChaos Feb 17 '12 at 14:26
  • @dw said it better than I. – Rory Alsop Feb 19 '12 at 12:18