NAT is not a mechanism for securing a network.. but.. HELP!

I cannot see that a Switch with VLAN is blocking any traffic. If I configure port filtering on a device, this device definitly is blocking traffic.

Yours, VB.

Why the need of a pair in Static NAT when we just need to translate one public ip address to an internal one?

Why it doesnt use the same random port as 10.0.0.1 picked?

, together with some

I though the ability of the NAT router to detect if a packet from a remote host was a response to a previously initiated connection attempt from inside the lan was SPI.

Why doesnt both 10.0.0.1 and 217.0.116.71 use the same port number?

i assume 217.0.116.71 is the gateway of the router(the lan ip) but maybe you are mistaken cause this is not on the same subnet as 10.0.0.1

They didn't "Add" anything to NAT, that's how it's suppose to work - if it doesn't know where to send the packets, they just die.

NAT has several modes, one of them is 1:1 NAT, meaning no port blocking, just map everything from 1 IP to another 1 IP, the method used in the NAT Routers you purchase for home use doesn't even include the ability to route multiple WAN IP's.

Yes, basically that's the idea.

it can be many WAN IP to MANY internal IP as long as it's mapped 1:1

You setup FORWARDING so that inbound port 80 goes to some location in your LAN - you manually set this up, there is not automatic setup for it.

The source outbound port doesn't mean anything, only the port the source wants to connect to.

Many implementations of static NAT allow to assign port/IP address pairs each with another, not only IP addresses. This is why I asked, what our friend meant with "1:1", because this usually means n*m : l*k.

Usually, a port range on the masquerading interface is used as a reservoir for assigning port/IP address pairs dynamically to them, together with some connection tracking algorithms or even heuristics, so that those ports can be deallocated again if not needed any more.

Für masquerading, say: source NAT i.e.:

10.0.0.1:32769 -> 217.0.116.71:4097 for TCP socket to 212.75.36.180:80

(if the operating system on 10.0.0.1 is using ports > 32768 for givin' them to processes, which call connect() without bind(), and having a port reservoir between 4096 and 32767 on the NAT box).

Yours, VB.

That was my point. The side effect of NAT is packets not being routed if there is nowhere to which to route them. The filtering may be minimal, but it provides some degree of protection. Enough for the home users to which the devices are marketed.

LOL

Duane :)

It's uncommon to map just an IP address to another. Usually, you're just mapping the ports for the services you want to be seen "outside".

Because this perhaps will run into trouble, if 10.0.0.2 is connecting at the same time.

If you mean stateful inspection with SPI here, yes. This is what I'm referencing.

Of course, for protocols which use simple TCP sockets, no stateful inspection is needed for connection tracking.

Because, if there are many hosts inside, then this could lead into trouble.

217.0.116.71 here is the address of the "outside" interface, and 10.0.0.1 is one of the addresses in the "inside" network.

Yours, VB.

Thankfully, Duane preserved the article. He posted it on usenet in

2004. I appreciate it

hip hip, hooray!

I am no expert. I am a newbie. But, looking at this article, I don't think any of it 'busts a NAT myth'. I put some comments in square brackets aftaer some of the paragraphs. It is all very straight forward. I'm quite confident with the comments i've written in square brackets below the paragraphs.

I am no doubt wrong with parts of this sentence, but I have heard that these NAT features are actually part of a firewall. And not a Router. so-called NAT devices or home routers, are not Routers. Best thing is a proper router and a proper firewall. Perhaps a firewall can implement NAT too. NAT is primarily for handing out less public email addresses. But these NAT devices, do NAT with a firewall. Maybe it is more secure?

Busting the NAT Myth By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity Lead Editor, WatchGuard Technologies, Inc.

Have you ever settled down to dinner, only to be interrupted by unsolicited telemarketing phone calls? It makes you glad that at work, your business has a main number other than your desk phone. If necessary, you can tell the company receptionist, "Unless my boss or my spouse calls, don't forward any calls to me." Then if telemarketers call the main number, looking for you, the receptionist terminates their call without bothering you. In fact, if you wanted, you could keep your desk

phone number completely private so that no one knew it except fellow employees and close family members.

However, if you achieved that ideal, would you then say, "My private phone number makes me safe in all regards. Now we can fire the company's security guards and leave the doors unlocked"? Foolish, right? Yet for some reason, many people follow that very logic when concluding that a NAT device is a firewall. This article debunks the myth that a NAT device is "good enough" security, and explains why you're better off using a real firewall to protect your network.

NAT Attacks Network Address Translation, or NAT, works roughly like the receptionist in our opening illustration. It hides your private, or unregistered, network addresses from the public. When packets leave your network, heading for the wild Internet, a NAT device replaces all private IP source addresses with one public address (usually its own). Since the NAT box advertises its own address to the world as the source address, all replies from the wild Internet return to the NAT device, analogous to the way phone calls to everyone at your company might first come to a main phone number. And just as the receptionist answering the main number can redirect incoming phone calls to the desired individual, NAT checks an internal table to redirect replies to the appropriate computer inside the network. If an attacker initiates a connection to your network through some oddball port, like 31337, the NAT box would check its table and think, "Gee, no one inside this network requested information on port

31337. Now I don't know who to send this packet to." Typically, it then

drops the packet. So, in this sense, NAT-only devices do provide a modicum of security. (The rest of this article assumes you understand basic NAT, so if the concept is new to you, before continuing you might

want to read "Using Network Address Translation" and "How and When to Use

1:1 NAT.")

Since NAT is designed to do the best it can to allow traffic in, any security benefits it provides are mere side-effects. Hackers have developed attacks specifically for NAT devices, such as the following.

Exploiting open ports. For port-based NAT, once a NAT device opens a port by putting it in the NAT table, all traffic destined to that port is allowed through to the local computer identified in the table. NAT substitutes unusual ports for well-known ports, but usually derives its

substitute port numbers from a standard range. Hackers can persistently

keep guessing at which ports NAT has opened until they get through. Since they use automated programs to do this, the hacker doesn't have to be overly persistent or lucky -- he just tries a lot of addresses until something breaks.

[but a NAT device is quite secure in closing all ports by default. Only port forwarding those that you tell it to port forward]

Taking the DMZ server. Some NAT devices can be configured so that packets not matching anything in the NAT table are sent to a specified computer, rather than discarded. This gives the administrator a chance to ensure that good traffic is not lost, and to allow a program to work that won't work through NAT. But it's horrible from a security perspective. It means the NAT device sends everything through. Once a hacker gets control of the one computer where everything goes, he can easily access any other computer on the same network. Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone with sufficient technical knowledge, using hacking tools freely available on the Internet, can put another user's IP address in the "From" (source) field of packets. Since NAT relies on analyzing addresses, false addresses compromise NAT devices easily.

[wouldn't the NAT device just drop the packet if the Source IP address doesn't match its address]?

Default remote access. Many NAT devices leave a port open to the public

Internet, to allow remote administration. The port is protected by a password. Hackers circulate lists of open ports and the default passwords set by the manufacturer of each NAT device. If you haven't changed the default password protecting your NAT device, knowledgeable attackers can log themselves in and reconfigure your device. Then they have administrative privileges, and you don't.

[That is a very dangerous option to use. I have it on my NAT Device - it was disabled by default. I wouldn't use it. But if I did use it, I would use the additional option, which is to restrict access to only come from a specific IP address or small range of IP addresses. If this option were used, it'd be very dangerous, akin to letting somebody else control your receptionist and get her to accept a call and redirect your call to whoever!]

NAT devices were not designed to be true security devices, so they have a weak security stance. For example, a hacker can send an "anybody there?" message, called a ping, to millions of addresses. Firewalls recognize ping and hide themselves. NAT devices respond, letting the hacker know he's found a live connection. NAT devices don't do any egress filtering, either. So clearly, a NAT device is not a full security solution.

[ok. NAT devices close ports they respond saying they're closed. Rather than Stealthing the porrs - not responding at all. Perhaps that is less secure. It gives away your existance. They have your IP(your router's public/NATTED IP), and you haven't even made an outgoing connection. But there was a recent thread that said there is a debate over whether stealth is more secure than closed.]

Firewall Advantages Don't get us wrong. We like NAT. We think NAT is both cool and necessary. Our point is that a real firewall offers additional, significant security improvements on top of NAT. Here are a few.

[My NAT device does contain a firewall. Infact, I have heard that NAT and port forwarding are features of a firewall. The fact that they say "a real firewall" may imply that they are aware that NAT devices use a firewall. Perhaps a real router and a real(separate) firewall are better. NAT devices don't stealth ports like a 'real firewall' would]

Authenticating connections. A NAT device checks only the source IP address, destination IP address, and related port numbers to decide if traffic is valid. A real firewall goes further. In addition to IP address and port information, the firewall also checks, for example, the sequence number of the packet for duplicates or out-of-bound values (hackers try

to recycle an existing packet header with different data inside). Other

firewall verification steps include user authentication, packet content

inspection (e.g., does this HTTP packet really contain HTTP information?), and checking the IPs against black-listed sites.

Controlling outbound traffic. Any defense offered by a NAT device deals

only with inbound connections. Firewalls offer egress filtering -- the ability to close outgoing connections. Many Trojans are programmed to infect a machine, then "phone home" to their creator, using an obscure outbound port; egress filtering can stop this. Similarly, when worms infect a machine and seek to spread, egress filtering can prevent your network from becoming the worm's next launching pad.

Securely handling special cases. True firewalls are aware of, and support, numerous applications that require special handling. Some NAT and low-cost "firewall-like" routers basically have to be shut off to allow, say, NetMeeting or audio/video streaming to function. Real firewalls handle them securely and without special user requirements. The firewall first identifies the packets as coming from a special application. It then rewrites and re-routes the packets compatibly with

both the application and NAT.

Robust processing power. Inexpensive NAT devices typically don't include the powerful processors required for "deep packet inspection." Even "firewall-like" routers will typically degrade significantly in performance if called upon to inspect each packet. Only devices designed to be a true firewall contain the muscle needed to combine security and

performance.

The list of firewall advantages goes on, including detailed logging that recognizes and records attacks; centralized management; and, in more expensive firewalls, advanced networking features (such as VLAN support

and Quality of Service), the ability to set different policies for multiple networks, time-based policies, and more.

Conclusion We hope you now understand the difference between a good-as-far-as-it- goes NAT box and the multi-faceted, layered security a firewall can offer. Though NAT can provide the equivalent of an "unlisted number" for clients on your network, that falls short of complete security. If you're serious about protecting your remote users and your network, deploy real firewalls -- preferably firewalls certified by a neutral third party, such as ICSA labs. The recent Sasser worm spread wildly even though it was helpless against firewalls -- which demonstrates afresh that your network security is only as good as your remote user security. ##