[Dshield] NAT: Secure?

Micheal Patterson micheal at cancercare.net
Thu Aug 28 04:31:36 GMT 2003


----- Original Message ----- 
From: "Alan Frayer" <afrayer at frayernet.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, August 27, 2003 10:47 AM
Subject: Re: [Dshield] NAT: Secure?


> On Wed, 2003-08-27 at 10:04, Micheal Patterson wrote:
>
> > Provided that there are no static nat entries pointing back to internal
> > hosts / ports, then I'd say it is one of the most secure methods of
internet
> > connectivity. NAT is pretty much a one way door with outbound traffic
> > leaving, for a short time, an opening allowing a response from the
contacted
> > remote host and port combination and only from that host/port
combination.
>
> Since NAT users can't switch off ports, and since they activate ports
> all the time with their IM and pop-up traffic, is it really that secure?
> I read about steps we need to take to close ports on commercial
> firewalls, and I wonder what is there to protect the home network?

That's a valid question. NAT by default will not allow any traffic into a
system behind it until the internal systems request communications to / from
a remote host.

When a internal system communicates with an outside source, www, ftp, email,
etc, it opens a connection to the remote host. NAT will take the source
IP:Port combo and remember it. It does this by setting up a dynamic link
between the two hosts based on the IP:Port set of each end.  For example,
you're nat'd and check your mail on an off lan POP3 server. Your internal
system is 192.168.1.1. When you make the connection, NAT will take the
source port, say 2058, (192.168.1.1:2058) and the remote host, say
208.6.166.28 on port 110, and make a dynamic entry that allows traffic
between the pair. Only traffic inbound from 208.6.166.28 port 110 can talk
to 192.168.1.1 at port 2058.  If 208.6.166.29:110 tries to return the
response, the NAT should by design deny the packet. I see this quite often
in some of the lan's that I set up. Many of these people use one or more of
the webmail services that are clustered with multiple IP's and transmissions
will go out, another IP will respond from the cluster, and the connection is
dropped and the process starts over until the same host responds
accordingly. As was mentioned in another response, another function of NAT
allows multiple internal IP's to use one outside IP's. This essentially sets
up a DMZ.

I've always looked at NAT as a rudimentary stateful firewall personally as
that's how it functions by design. You can circumvent this by placing what
is called a static NAT map / translation that will redirect inbound traffic
to say, port 25, to an internal machine on port 25.  Most of the cable/dsl
routers have the ability to set up one static host entry to divert all
traffic to the outside IP to one system internally. This option doesn't work
if you have your services on multiple internal systems however.  In my
opinion, NAT itself, is a good start, a NAT + firewall combination is always
better since NAT will take any outbound traffic and create a dynamic link
for it.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230




More information about the list mailing list