Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- steve h.
June 19, 2004, 7:03 pm
rate this thread
Busting the NAT Myth
By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
Lead Editor, WatchGuard Technologies, Inc.
Have you ever settled down to dinner, only to be interrupted by
unsolicited telemarketing phone calls? It makes you glad that at work,
your business has a main number other than your desk phone. If necessary,
you can tell the company receptionist, "Unless my boss or my spouse
calls, don't forward any calls to me." Then if telemarketers call the
main number, looking for you, the receptionist terminates their call
without bothering you. In fact, if you wanted, you could keep your desk
phone number completely private so that no one knew it except fellow
employees and close family members.
However, if you achieved that ideal, would you then say, "My private
phone number makes me safe in all regards. Now we can fire the company's
security guards and leave the doors unlocked"? Foolish, right? Yet for
some reason, many people follow that very logic when concluding that a
NAT device is a firewall. This article debunks the myth that a NAT device
is "good enough" security, and explains why you're better off using a
real firewall to protect your network.
Network Address Translation, or NAT, works roughly like the receptionist
in our opening illustration. It hides your private, or unregistered,
network addresses from the public. When packets leave your network,
heading for the wild Internet, a NAT device replaces all private IP
source addresses with one public address (usually its own). Since the NAT
box advertises its own address to the world as the source address, all
replies from the wild Internet return to the NAT device, analogous to the
way phone calls to everyone at your company might first come to a main
phone number. And just as the receptionist answering the main number can
redirect incoming phone calls to the desired individual, NAT checks an
internal table to redirect replies to the appropriate computer inside the
network. If an attacker initiates a connection to your network through
some oddball port, like 31337, the NAT box would check its table and
think, "Gee, no one inside this network requested information on port
31337. Now I don't know who to send this packet to." Typically, it then
drops the packet. So, in this sense, NAT-only devices do provide a
modicum of security. (The rest of this article assumes you understand
basic NAT, so if the concept is new to you, before continuing you might
want to read "Using Network Address Translation" and "How and When to Use
Since NAT is designed to do the best it can to allow traffic in, any
security benefits it provides are mere side-effects. Hackers have
developed attacks specifically for NAT devices, such as the following.
Exploiting open ports. For port-based NAT, once a NAT device opens a port
by putting it in the NAT table, all traffic destined to that port is
allowed through to the local computer identified in the table. NAT
substitutes unusual ports for well-known ports, but usually derives its
substitute port numbers from a standard range. Hackers can persistently
keep guessing at which ports NAT has opened until they get through. Since
they use automated programs to do this, the hacker doesn't have to be
overly persistent or lucky -- he just tries a lot of addresses until
Taking the DMZ server. Some NAT devices can be configured so that packets
not matching anything in the NAT table are sent to a specified computer,
rather than discarded. This gives the administrator a chance to ensure
that good traffic is not lost, and to allow a program to work that won't
work through NAT. But it's horrible from a security perspective. It means
the NAT device sends everything through. Once a hacker gets control of
the one computer where everything goes, he can easily access any other
computer on the same network.
Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone
with sufficient technical knowledge, using hacking tools freely available
on the Internet, can put another user's IP address in the "From" (source)
field of packets. Since NAT relies on analyzing addresses, false
addresses compromise NAT devices easily.
Default remote access. Many NAT devices leave a port open to the public
Internet, to allow remote administration. The port is protected by a
password. Hackers circulate lists of open ports and the default passwords
set by the manufacturer of each NAT device. If you haven't changed the
default password protecting your NAT device, knowledgeable attackers can
log themselves in and reconfigure your device. Then they have
administrative privileges, and you don't.
NAT devices were not designed to be true security devices, so they have a
weak security stance. For example, a hacker can send an "anybody there?"
message, called a ping, to millions of addresses. Firewalls recognize
ping and hide themselves. NAT devices respond, letting the hacker know
he's found a live connection. NAT devices don't do any egress filtering,
either. So clearly, a NAT device is not a full security solution.
Don't get us wrong. We like NAT. We think NAT is both cool and necessary.
Our point is that a real firewall offers additional, significant security
improvements on top of NAT. Here are a few.
Authenticating connections. A NAT device checks only the source IP
address, destination IP address, and related port numbers to decide if
traffic is valid. A real firewall goes further. In addition to IP address
and port information, the firewall also checks, for example, the sequence
number of the packet for duplicates or out-of-bound values (hackers try
to recycle an existing packet header with different data inside). Other
firewall verification steps include user authentication, packet content
inspection (e.g., does this HTTP packet really contain HTTP
information?), and checking the IPs against black-listed sites.
Controlling outbound traffic. Any defense offered by a NAT device deals
only with inbound connections. Firewalls offer egress filtering -- the
ability to close outgoing connections. Many Trojans are programmed to
infect a machine, then "phone home" to their creator, using an obscure
outbound port; egress filtering can stop this. Similarly, when worms
infect a machine and seek to spread, egress filtering can prevent your
network from becoming the worm's next launching pad.
Securely handling special cases. True firewalls are aware of, and
support, numerous applications that require special handling. Some NAT
and low-cost "firewall-like" routers basically have to be shut off to
allow, say, NetMeeting or audio/video streaming to function. Real
firewalls handle them securely and without special user requirements. The
firewall first identifies the packets as coming from a special
application. It then rewrites and re-routes the packets compatibly with
both the application and NAT.
Robust processing power. Inexpensive NAT devices typically don't include
the powerful processors required for "deep packet inspection." Even
"firewall-like" routers will typically degrade significantly in
performance if called upon to inspect each packet. Only devices designed
to be a true firewall contain the muscle needed to combine security and
The list of firewall advantages goes on, including detailed logging that
recognizes and records attacks; centralized management; and, in more
expensive firewalls, advanced networking features (such as VLAN support
and Quality of Service), the ability to set different policies for
multiple networks, time-based policies, and more.
We hope you now understand the difference between a good-as-far-as-it-
goes NAT box and the multi-faceted, layered security a firewall can
offer. Though NAT can provide the equivalent of an "unlisted number" for
clients on your network, that falls short of complete security. If you're
serious about protecting your remote users and your network, deploy real
firewalls -- preferably firewalls certified by a neutral third party,
such as ICSA labs. The recent Sasser worm spread wildly even though it
was helpless against firewalls -- which demonstrates afresh that your
network security is only as good as your remote user security. ##
Air America Radio Orlando Petition
Thanks for reading !
- » Resurrecting a Win98SE machine; security questions.
- — Next thread in » General Computer Security