Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Forward Pinhole Requirements and Options
Forwards an inbound packet sent to a configurable port on the WAN interface of the FT to an internal
address and port.
This could be impl. as a network address translation (NAT) function mapping between a FT's
{external address, external port} tuple and a specified {internal address, internal port} tuple.
As an alternative, TCP and UDP support could be implemented as a proxy socket that accepts
connections on a FT's WAN interface:port and connects to a specified internal address, internal port.
Options, for each option letter we must choose at least one # to provide a working impl:
A) packet IP source validation
1. forward all inbound packets regardless of source IP
or
2. only forward inbound packets that match a specific IP address/mask or range
B) NAT of inbound packet source IP
1. none (straight port forward does not hide source IP) – this is a more pure form
or
2. change the source IP to the FT's LAN IP (essentially a dual NAT translation on the packet)
• N/A to non-router AP's
C) pinhole duration
1. mission
or
2. mission start + timeout
or
3. window
connection timeout (device/linux/impl. Specific keep alive workarounds?)
D) kernel (netfilter based) or application layer pinhole impl
1. netfilter based impl.
Pros
impl. could be as simple as applying current proxy code to inbound connections
Cons
?