NAT Security

I appreciate that NAT is not an actual firewall but is supposedly very
secure.

If you operate a server (or DMZ) behind a NAT router I assume someone
with a port scanner would get the address of your router and the open
machine. Would this not give them an opening into the local network.

Geoff Lane

Geoff Lane <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> I appreciate that NAT is not an actual firewall but is supposedly very
> secure.
>
> If you operate a server (or DMZ) behind a NAT router I assume someone
> with a port scanner would get the address of your router and the open
> machine. Would this not give them an opening into the local network.

Doesn't necessarily have to be a DMZ. Port forwarding will work in most
cases.

'Hackers' may be able to access your local network through the server,
depending on how much security the server has, and depending on what ports
you 'open up'.

My advice is simply open the ports you want the outside world to have
access to, and make sure applications attached to those ports are secured.

It's sometimes a nice idea to open up an FTP port to a machine with an FTP
server hosting no files and seeing who logs onto your FTP server without
authorization.

On Thu, 09 Jun 2005 09:27:33 +0100, Geoff Lane
<(E-Mail Removed)> wrote:

>If you operate a server (or DMZ) behind a NAT router I assume someone
>with a port scanner would get the address of your router and the open
>machine. Would this not give them an opening into the local network.

it would give them access to the open ports. So if you have a web
server you port forward only port 80 and they can't use the othe
rports to exploit hole sin Windows.

If you have a DMZ the point is that anything on that part is open to
the outside so you don't put vulnerable stuff on a DMZ. Think of it as
having two locked rooms and you open the door to the DMZ but keep the
LAN room firmly locked.

Phil
--
spamcop.net address commissioned 18/06/04
Come on down !

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Geoff Lane wrote:
> I appreciate that NAT is not an actual firewall but is supposedly very
> secure.

Indeed. Unsolicited traffic, or that to a port which is not forwarded is
rejected.


> If you operate a server (or DMZ) behind a NAT router I assume someone
> with a port scanner would get the address of your router

They have to have the address of the router to scan it. :-)


> and the open machine.

I'm not 100% sure if they can decode the packets sent by the router to get
the IP address of the internal machine. Either way, IMO knowing an address
of an internal machine is mostly trivial.


> Would this not give them an opening into the local network.

Yes, which is what you want, assuming you're running a server on the local
network.
As long as the listening program on the server is configured securely etc.
you should have no problem. You could also leave the server program off
when not needed, depending on what it's for.

Also the firewall on the NAT device can be used to only allow specific IP
addresses/ranges to connect to the port, again, if it fits the intended
users of the service.

HTH!

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCqA3H7uRVdtPsXDkRAmRPAJ9DH4yNbAJmM0Guxb/o+cyKusL1JACgm46j
MLEC+Cg7fLdPe/bmPV4+uZ0=
=1vIB
-----END PGP SIGNATURE-----

On 09 Jun 2005 09:27, Geoff Lane wrote:

>I appreciate that NAT is not an actual firewall but is supposedly very
>secure.

>If you operate a server (or DMZ) behind a NAT router I assume someone
>with a port scanner would get the address of your router and the open
>machine. Would this not give them an opening into the local network.

Possibly, but you then have a firewall on the server handling <whatever>

In my case, when using a PC on my LAN for e-mail, it was set to accept only
from certain specific IP addresses (mail going to various domains on a few
hosting services would forward to a mail address where the domain had its
MX record pointing to my ADSL connection... someone sending direct will
be blocked by the firewall and only mail via those hosting services was
accepted). Clearly it depends what you are using the machine for - mail
is one of the worst examples as you'd normally want to make it accept any
incoming traffic, however for SSH / VNC you may want to allow access only
to a small number of remote IP addresses, so the fact a port is 'open' is
still not much good from other IP addresses... Peter M.
--

E-mail + files - 30 day free trial - <http://web.vfm-deals.com/runbox/>
Can be added as an MX record, so your domain mail gets stored safely,
with IMAP / POP / SMTP (not locked to port 25) facilities.

USENET news service ? <http://tinyurl.com/3rjw4> (plans from under US$5)

"Geoff Lane" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I appreciate that NAT is not an actual firewall but is supposedly very
> secure.
>
> If you operate a server (or DMZ) behind a NAT router I assume someone
> with a port scanner would get the address of your router and the open
> machine. Would this not give them an opening into the local network.
>
> Geoff Lane
>

Any server with an open port is potentially vulnerable and could compromise
your network. If you want to be very safe/paranoid, you can do the
following...

Modem --- NAT/firewall #1 --- Server
|
+--------- firewall #2 -------- Your LAN

Now you explicitly connect to your server as if it's as untrusted as the
rest of the Internet. Assuming you have the firewalls all on, you've
created a DMZ where your server is (a little bit) vulnerable but your own
LAN should be less so.

Paul DS.

On Thu, 9 Jun 2005 08:55:09 +0000 (UTC), Dean Jarratt
<(E-Mail Removed)> wrote:

>> I appreciate that NAT is not an actual firewall but is supposedly very
>> secure.
>>
>> If you operate a server (or DMZ) behind a NAT router I assume someone
>> with a port scanner would get the address of your router and the open
>> machine. Would this not give them an opening into the local network.

>It's sometimes a nice idea to open up an FTP port to a machine with an FTP
>server hosting no files and seeing who logs onto your FTP server without
>authorization.

That's quite a good idea, I'll give that a try when I set up my
network properly, at the moment only one of two laptops connect as and
when required but I intend to connect an older desktop machine as a
file server.

Geoff Lane

On Thu, 09 Jun 2005 09:58:45 +0100, Phil Thompson
<(E-Mail Removed)> wrote:

>>If you operate a server (or DMZ) behind a NAT router I assume someone
>>with a port scanner would get the address of your router and the open
>>machine. Would this not give them an opening into the local network.
>
>it would give them access to the open ports. So if you have a web
>server you port forward only port 80 and they can't use the othe
>rports to exploit hole sin Windows.

I'm not paranoid (I hope) but if I understand potential openings I can
be sensible regarding securing files and safeguarding against viruses
etc.

>If you have a DMZ the point is that anything on that part is open to
>the outside so you don't put vulnerable stuff on a DMZ. Think of it as
>having two locked rooms and you open the door to the DMZ but keep the
>LAN room firmly locked.

I think I understand, for the secure part of the network I suppose I
could set up the IP filter to only allow connection from the local
network.

Geoff Lane

On Thu, 09 Jun 2005 10:37:11 +0100, Adam Piggott
<(E-Mail Removed)> wrote:

>> If you operate a server (or DMZ) behind a NAT router I assume someone
>> with a port scanner would get the address of your router
>
>They have to have the address of the router to scan it. :-)

I think I typed it the wrong way round :-)) but are there not
programs used by the 'crackers' that port scan masses of IP addresses.

>I'm not 100% sure if they can decode the packets sent by the router to get
>the IP address of the internal machine. Either way, IMO knowing an address
>of an internal machine is mostly trivial.

It's just when you read that some US Government computer has been
hacked it would appear nothing is really secure.

>Also the firewall on the NAT device can be used to only allow specific IP
>addresses/ranges to connect to the port, again, if it fits the intended
>users of the service.

At te moment I have no specific IP rules set up on my Draytek 2600,
the router and my software FW ZoneAlarm seem to keep me quite secure.

Geoff Lane

On Thu, 9 Jun 2005 14:23:25 +0100, "Paul D.Smith"
<(E-Mail Removed)> wrote:

>Any server with an open port is potentially vulnerable and could compromise
>your network. If you want to be very safe/paranoid, you can do the
>following...
>
>Modem --- NAT/firewall #1 --- Server
> |
> +--------- firewall #2 -------- Your LAN
>
>Now you explicitly connect to your server as if it's as untrusted as the
>rest of the Internet. Assuming you have the firewalls all on, you've
>created a DMZ where your server is (a little bit) vulnerable but your own
>LAN should be less so.

I'm not sure if I follow this one, your route to server via FW#1
appears to go through the NAT but FW#2 direct to the modem

The FWs you refer to, are they software FWs or hardware.

Geoff Lane