NAT Security

Discussion in 'Home Networking' started by Geoff Lane, Jun 9, 2005.

  1. Geoff Lane

    Geoff Lane Guest

    I appreciate that NAT is not an actual firewall but is supposedly very
    secure.

    If you operate a server (or DMZ) behind a NAT router I assume someone
    with a port scanner would get the address of your router and the open
    machine. Would this not give them an opening into the local network.

    Geoff Lane
     
    Geoff Lane, Jun 9, 2005
    #1
    1. Advertisements

  2. Geoff Lane

    Dean Jarratt Guest

    Doesn't necessarily have to be a DMZ. Port forwarding will work in most
    cases.

    'Hackers' may be able to access your local network through the server,
    depending on how much security the server has, and depending on what ports
    you 'open up'.

    My advice is simply open the ports you want the outside world to have
    access to, and make sure applications attached to those ports are secured.

    It's sometimes a nice idea to open up an FTP port to a machine with an FTP
    server hosting no files and seeing who logs onto your FTP server without
    authorization.
     
    Dean Jarratt, Jun 9, 2005
    #2
    1. Advertisements

  3. it would give them access to the open ports. So if you have a web
    server you port forward only port 80 and they can't use the othe
    rports to exploit hole sin Windows.

    If you have a DMZ the point is that anything on that part is open to
    the outside so you don't put vulnerable stuff on a DMZ. Think of it as
    having two locked rooms and you open the door to the DMZ but keep the
    LAN room firmly locked.

    Phil
     
    Phil Thompson, Jun 9, 2005
    #3
  4. Geoff Lane

    Adam Piggott Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Indeed. Unsolicited traffic, or that to a port which is not forwarded is
    rejected.

    They have to have the address of the router to scan it. :)

    I'm not 100% sure if they can decode the packets sent by the router to get
    the IP address of the internal machine. Either way, IMO knowing an address
    of an internal machine is mostly trivial.

    Yes, which is what you want, assuming you're running a server on the local
    network.
    As long as the listening program on the server is configured securely etc.
    you should have no problem. You could also leave the server program off
    when not needed, depending on what it's for.

    Also the firewall on the NAT device can be used to only allow specific IP
    addresses/ranges to connect to the port, again, if it fits the intended
    users of the service.

    HTH!

    - --
    Adam Piggott, Proprietor, Proactive Services (Computing).
    http://www.proactiveservices.co.uk/

    Please replace dot invalid with dot uk to email me.
    Apply personally for PGP public key.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFCqA3H7uRVdtPsXDkRAmRPAJ9DH4yNbAJmM0Guxb/o+cyKusL1JACgm46j
    MLEC+Cg7fLdPe/bmPV4+uZ0=
    =1vIB
    -----END PGP SIGNATURE-----
     
    Adam Piggott, Jun 9, 2005
    #4
  5. Geoff Lane

    poster Guest

    Possibly, but you then have a firewall on the server handling <whatever>

    In my case, when using a PC on my LAN for e-mail, it was set to accept only
    from certain specific IP addresses (mail going to various domains on a few
    hosting services would forward to a mail address where the domain had its
    MX record pointing to my ADSL connection... someone sending direct will
    be blocked by the firewall and only mail via those hosting services was
    accepted). Clearly it depends what you are using the machine for - mail
    is one of the worst examples as you'd normally want to make it accept any
    incoming traffic, however for SSH / VNC you may want to allow access only
    to a small number of remote IP addresses, so the fact a port is 'open' is
    still not much good from other IP addresses... Peter M.
    --

    E-mail + files - 30 day free trial - <http://web.vfm-deals.com/runbox/>
    Can be added as an MX record, so your domain mail gets stored safely,
    with IMAP / POP / SMTP (not locked to port 25) facilities.

    USENET news service ? <http://tinyurl.com/3rjw4> (plans from under US$5)
     
    poster, Jun 9, 2005
    #5
  6. Geoff Lane

    Paul D.Smith Guest

    Any server with an open port is potentially vulnerable and could compromise
    your network. If you want to be very safe/paranoid, you can do the
    following...

    Modem --- NAT/firewall #1 --- Server
    |
    +--------- firewall #2 -------- Your LAN

    Now you explicitly connect to your server as if it's as untrusted as the
    rest of the Internet. Assuming you have the firewalls all on, you've
    created a DMZ where your server is (a little bit) vulnerable but your own
    LAN should be less so.

    Paul DS.
     
    Paul D.Smith, Jun 9, 2005
    #6
  7. Geoff Lane

    Geoff Lane Guest

    That's quite a good idea, I'll give that a try when I set up my
    network properly, at the moment only one of two laptops connect as and
    when required but I intend to connect an older desktop machine as a
    file server.

    Geoff Lane
     
    Geoff Lane, Jun 9, 2005
    #7
  8. Geoff Lane

    Geoff Lane Guest

    I'm not paranoid (I hope) but if I understand potential openings I can
    be sensible regarding securing files and safeguarding against viruses
    etc.
    I think I understand, for the secure part of the network I suppose I
    could set up the IP filter to only allow connection from the local
    network.

    Geoff Lane
     
    Geoff Lane, Jun 9, 2005
    #8
  9. Geoff Lane

    Geoff Lane Guest

    I think I typed it the wrong way round :)) but are there not
    programs used by the 'crackers' that port scan masses of IP addresses.
    It's just when you read that some US Government computer has been
    hacked it would appear nothing is really secure.
    At te moment I have no specific IP rules set up on my Draytek 2600,
    the router and my software FW ZoneAlarm seem to keep me quite secure.

    Geoff Lane
     
    Geoff Lane, Jun 9, 2005
    #9
  10. Geoff Lane

    Geoff Lane Guest

    I'm not sure if I follow this one, your route to server via FW#1
    appears to go through the NAT but FW#2 direct to the modem

    The FWs you refer to, are they software FWs or hardware.

    Geoff Lane
     
    Geoff Lane, Jun 9, 2005
    #10
  11. I think where the poster is coming from is that if you open a specific
    service you may be able to exployt it and gain access to the internal
    network. Using the example of opening the Windows XP telnet service
    to the outside world, then an attacker gaining access to the command
    prompt from outside - they then have a prompt and can access other
    resources on the internal network - very unsafe. The same is also
    true of any service, especially if there is a known vulnerability in
    that service.

    It is also possible to confuse some NAT implementations by exployting
    a service, making a connection to your public IP and then connecting
    back to the public IP of the compromised host, thus possibly gaining
    access to more machines inside.

    If you open up ports externally you should treat these machines as
    being accessible from the Internet and should take precausions as
    necessary - don't let the word NAT think you are behind a total smoke
    screen.
    This term is used very loosely - I always think of it as the way you
    describe, but in some places the DMZ is a shut door from one part of
    the LAN but is still given a private IP, with a mapping to a public IP
    if necessary.

    Thanks.
    Andrew.
     
    Andrew Hodgson, Jun 9, 2005
    #11
  12. Geoff Lane

    Alex Fraser Guest

    [snip]
    Can you give a more conrete example of what you mean?

    [snip]
    The term DMZ has been abused by manufacturers of "consumer" routers. A real
    DMZ is a seperate network, ie there is a router (and firewall) between
    machines in the DMZ and other machines. A more accurate description of what
    consumer routers offer would be a "default port forwarding" setting.

    Alex
     
    Alex Fraser, Jun 9, 2005
    #12
  13. Geoff Lane

    Paul D.Smith Guest

    Perhaps you are using a different font to me (use fixed pitch). The
    connections are something like the following...

    ADSL is connected to a modem. This could be a Netgear DG384G which has
    combined modem/NAT/firewall. If not, connect the NAT/firewall to the modem
    and, if needed, a switch to the LAN side of the NAT/firewall.

    Now from NAT/firewall #1 (or the switch) connect on cable to the server.
    Open ports on FW#1 to allow access from the outside world.

    Also from FW1, connect a cable to firewall #2. From the safe side of FW
    #2, connect a cable to your LAN.

    So the routes from Internet to machine are....

    ASDL--modem--NAT/FW1--switch--server
    ASDL--modem--NAT/FW1--switch--NAT/FW2--switch--LAN

    remember that "modem--NAT/FW1--switch" could be a combined DG384G type
    machine and "NAT/FW2--switch" could be what is often referred to as a
    "cable/DSL router".

    Also, if your "LAN" is a single machine, you could replace "NAT/FW2--switch"
    with just running a firewall (ZoneAlarm or similar) on the "LAN PC".

    Do, there is a route from the internet to server 1 but no way to "attack"
    the LAN.

    Does this all make sense now?
     
    Paul D.Smith, Jun 10, 2005
    #13
  14. You could SSH into one machine, then into another private machine.
    You could then connect to a service on your host through that machine,
    then connect back to the public IP, which will sometimes give you open
    ports on the inside machine you SSH'd into from the first machine.

    Thanks.
    Andrew.
     
    Andrew Hodgson, Jun 10, 2005
    #14
  15. Geoff Lane

    Geoff Lane Guest

    Spot on.
    I do run a software FW (zoneAlarm) as well but I've only got my
    router's IP FW set at the default settings which disallows ports 137
    to 139 connecting to port 53.

    Geoff Lane
     
    Geoff Lane, Jun 10, 2005
    #15
  16. Geoff Lane

    Geoff Lane Guest

    I think I've got it now, the LAN actually passes through two NATs
    whereas the server passes through just one.

    Geoff Lane
     
    Geoff Lane, Jun 11, 2005
    #16
  17. Geoff Lane

    Paul D.Smith Guest

    I think I've got it now, the LAN actually passes through two NATs
    Correct. Actually you can drop (or disable) the second NAT. The important
    bit is the second firewall which stops connections coming "inbound" from a
    compromised server into the rest of your LAN.

    FYI, I put the second NAT in because a lot of standalone boxes have both NAT
    and firewall built in. But you should be able to disable the NAT function
    on the second one.

    Paul DS.
     
    Paul D.Smith, Jun 13, 2005
    #17
  18. Geoff Lane

    Geoff Lane Guest

    I've got a Vigor 2600, I think it's a pretty good router but to the
    best of my knowledge it cannot disable the NAT. But I thought with a
    conventional set up the public IP was assigned to the router and the
    router gave local IPs to the other computers.

    Geoff Lane
     
    Geoff Lane, Jun 13, 2005
    #18
  19. Geoff Lane

    John Fryatt Guest

    That's one way of doing it, i.e. using DHCP. Alteratively you can assign
    fixed IP addresses to your local PCs.
     
    John Fryatt, Jun 15, 2005
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.