Local LAN Vulnerabilities and Open Ports NAT

Access control
Application security
Current threats
human factors
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
PEN testing
Platform Security
Secure Coding
vulnerability management
Web security
QUESTION: How someone would go about exploiting a vulnerability within a LAN sitting behind a router running NAT/NAPT...where would you start? Hacking the open port? Routing Tables? Accessing remote administration on the modem? (disable NAT)?? bah... MY SYSTEM/SETUP: I have 1 XP SP2 Machine running providing PPTP VPN connections and a Webcam Security System (webcamxp) Forwarded Ports 1723/GRE/7 for the VPN and just 81 Webcamxp plus 82 if I needed sound.... I use dyndns to link a hostname to my Internet IP PEN TESTING: (With NAT) If I run a Security Scan on my host name (myhostname.dyndns.org) using LAN Guard Network Security Scanner with NAT/NAPT ON forwarding ports to 10.0.0.*** (XPBOX) the scanner doesnt find any computers or return any results.... (Without NAT) If I place my XPBOX into a DMZ (aka Default NAPT - on a Speedtouch 530) and run a scan from the outside I can see all my open ports 1723-XPVPN -81 WebcamXP -80 Apache etc aswell as a list of all possible exploits.... THOUGHTS: So having NAT/NAPT enabled is definately good but how would one go about gaining access to the LAN....would remote administration have to be turned on for someone to change modem settings ie put a workstation in DMZ??? MORE PEN TESTING: The only way I can see someone gaining access is by attacking webcamxp there are vulnerabilities in the sanitization of chat text and cross site scripting vuln e.g. "http://myhostname.dyndns.org:81/chevron-script-chevron-alert('alert')-chevron-/script-chevron-" Although these vulnerabilities appear to now be patched.....what other options would one have?? PTPP VPN Hacking.....is possible but I'm using MS-CHAPV2 which is supposedly pretty hard to crack....MS-CHAPV1 is supposedly fairly easy but still one has to do a fair amount of work to orchestrate this attack. HOW SECURE AM I?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Using a NAT and CHAPv2 is a good start, but a proper firewall (not the MS Firewall, a real one) and IDS is necessary for optimal security. I have no recommendation for anything in the MS camp for this level of security, as I would not recommend anything less than Snort, a Linux-only IDS that is the standard by which all other IDSes are measured.


Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Alfred50
    Also remember that cr(h)ackers are looking for the quickest and easiest method to enter a system. Let us not forget social engineering as an entry point. This may include anything from email, websites, soft APs (in the wireless world) and actually talking to users on your domain. If someone is targeting a specific company it will be hard to keep them out if time is not an object. If they are targeting whatever is open and easy, a layered approach like the one you described is a good start. Also consider host firewalls and a Wireless IPS to laptops that are used outside of the company and a solution to disable the wireless card when the laptop is connected to your wired LAN.
    0 pointsBadges:
  • Bobkberg
    Interesting question...but there's a key point that you haven't addressed. That is: "Is your specific network/organization being targeted?" or "How resilient is your network and users (key point: users) to all of the various spyware and worse running around out there?" In my experience, the people who are REALLY out to target your network are (as alfred50 pointed out) more likely to be subject to social engineering and the like. OR...they are going to be Veeeeeerrrryyyy sneaky. So would you be so kind as to describe what sort of vulnerability or attack you are most concerned about? Then we (collectively) can give you a better feel for the risks you face. On a somewhat different tangent (although not entirely), I'm more concerned about spyware, peer-to-peer (P2P) applications putting trojans into your network, apps like Skype which promise free phone service, but silently use your system to process their calls, and the like. The lure of "free" has gotten many an organization into trouble. My $.02 worth... Bob
    1,070 pointsBadges:
  • Ultrix
    The definition of a DMZ is that there is no default port filtering, so it makes sense that a default set-up would show the port scanner all of your open ports. There is a windows port of Snort that is pretty good. The configuration of snort, or any other network IDS is key, though. If you want to warrant or guarantee the configurration, prepare to read a lot about snort (lucky there are several books on the subject), or to pay a non-trivial amount for it. Merely to install Snort is not exactly a walk in the park, either. There are 8 other packages that need to be present for snort to work. There is a lot of info on the web about it. Set up a test machine in the same environment and play on it until you are happy, then do the production install. Your biggest danger is still probably from an insider at your organization. - Either accidentally or purposefully giving out sensitive material or misconfiguring the software on the server or some other machine in the LAN.
    15 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: