PDA

View Full Version : NAT router info please



shrill chris
08-12-10, 07:51 AM
Need an idiot's guide to NAT routers. I've having a discussion with
someone about NATs and PFWs. I'm technical but need to check a few
basics. TIA.

--
Help destroy A C F for its own good.

Ansgar -59cobalt- Wiechers
08-12-10, 08:47 AM
In comp.security.firewalls shrill chris <plusnet@chris.millbank> wrote:
> Need an idiot's guide to NAT routers. I've having a discussion with
> someone about NATs and PFWs. I'm technical but need to check a few
> basics. TIA.

NAT is not a security feature and PFWs are crap. What else do you need
to know?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Rick
08-12-10, 09:21 AM
Ansgar -59cobalt- Wiechers wrote:
> In comp.security.firewalls shrill chris<plusnet@chris.millbank> wrote:
>> Need an idiot's guide to NAT routers. I've having a discussion with
>> someone about NATs and PFWs. I'm technical but need to check a few
>> basics. TIA.
>
> NAT is not a security feature and PFWs are crap. What else do you need
> to know?
>
> cu
> 59cobalt

what? Pro Football Weekly (sometimes shortened to PFW)?!

"Routers" can provide port forwarding (independently of NAT).

If you are not running a server, NAT provides minimum security
by hiding your computers Internal addresses.

za kAT
08-12-10, 09:32 AM
On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:

> In comp.security.firewalls shrill chris <plusnet@chris.millbank> wrote:
>> Need an idiot's guide to NAT routers. I've having a discussion with
>> someone about NATs and PFWs. I'm technical but need to check a few
>> basics. TIA.
>
> NAT is not a security feature and PFWs are crap.


| What else do you need to know?

| NAT is not a security feature

Why?

--
zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
Assigned to protect you. You've been targeted for denigration!

Ansgar -59cobalt- Wiechers
08-12-10, 10:31 AM
za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
> | NAT is not a security feature
>
> Why?

Because it wasn't designed (nor intended) to be one. NAT is a feature to
*enable* communication between private and public networks. The purpose
of network security measures is to *restrict* communication between
networks. These are fundamentally different concepts.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

za kAT
08-12-10, 11:06 AM
On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:

> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
>>| NAT is not a security feature
>>
>> Why?
>
> Because it wasn't designed (nor intended) to be one.

> NAT is a feature to
> *enable* communication between private and public networks.

I thought that was IP masquerading.

NAT just seems to be a way negating the need to update routing tables
beyond the routers external interface to reflect what networks are behind
the NAT router.

> The purpose
> of network security measures is to *restrict* communication between
> networks. These are fundamentally different concepts.

It does restrict communication inbound.


--
zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
Assigned to protect you. You've been targeted for denigration!

deconstructing Stubbings bollix
08-12-10, 11:13 AM
"John Stubbings" (aka "za kAT") posting as shrill Chris scribbled:

> Need an idiot's guide to NAT routers. I've having a discussion with
> someone about NATs and PFWs.

Nope. You jumped into another person's discussion and started
shouting/screaming "I know everything, you're all ****ing idiots"
but then found yerself in a big hole.

>I'm technical but need to check a few basics. TIA.

Nope. You *think* you are an expert. Different issue.

Stubbings,
Of course *you* need an idiot's guide, that's been obvious for a very
long time. No doubt that's why you didn't have the spine to post this
silly troll using one of scores of your own discredited socks. <sigh>

Please give us a break from your k00kery, there's a good *****.
Else I'll set Blitz The Dog onto you.



-deconstructing Stubbings bollix

za kAT
08-12-10, 11:19 AM
On Thu, 12 Aug 2010 18:13:24 +0200, hummingbird wrote:

Go away sonny. I didn't make the original post.

It's no wonder everyone take the piss out of you.

--
zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
Assigned to protect you. You've been targeted for denigration!

Ansgar -59cobalt- Wiechers
08-12-10, 11:44 AM
za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
>>>| NAT is not a security feature
>>>
>>> Why?
>>
>> Because it wasn't designed (nor intended) to be one.
>
>> NAT is a feature to *enable* communication between private and public
>> networks.
>
> I thought that was IP masquerading.

IP masquerading (or port address translation, PAT) is the most commonly
used subset of NAT nowadays. It's correct that NAT is not limited to
remapping private to public addresses and vice versa, but even though,
it's still a technology invented to enable rather than restrict
communication.

>> The purpose of network security measures is to *restrict*
>> communication between networks. These are fundamentally different
>> concepts.
>
> It does restrict communication inbound.

Not necessarily. Which is exactly the problem. Besides, what's atually
restricting inbound communication in case of private addresses is the
convention that private IP addresses must not be routed over public
networks. The NAT device itself doesn't have much to do with it.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

za kAT
08-12-10, 12:14 PM
On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:

> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
>>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>>>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
>>>>| NAT is not a security feature
>>>>
>>>> Why?
>>>
>>> Because it wasn't designed (nor intended) to be one.
>>
>>> NAT is a feature to *enable* communication between private and public
>>> networks.
>>
>> I thought that was IP masquerading.
>
> IP masquerading (or port address translation, PAT) is the most commonly
> used subset of NAT nowadays.

That's interesting, because I'd always understood IP masquerading to be the
act of 'hiding' many addresses behind another. Not another name for PAT.
It's an idea, not a physical act. Maybe I'm wrong, I couldn't quickly find
a good definition.

Whereas NAT, which you rightly point out as usually meaning PAT/NAPT is a
physical act. Maybe you're right, I dunno, but true NAT[1:1] still hides an
address.

> It's correct that NAT is not limited to
> remapping private to public addresses and vice versa, but even though,
> it's still a technology invented to enable rather than restrict
> communication.

Yeah but, a hammer was designed to knock nails in, but it can still be an
offensive weapon.

>>> The purpose of network security measures is to *restrict*
>>> communication between networks. These are fundamentally different
>>> concepts.
>>
>> It does restrict communication inbound.
>
> Not necessarily. Which is exactly the problem.

I assume you are referring to it's inability to really tackle solicited
outbound wrt malware. I still don't see it as a problem, just part of a
simple solution, when paired with an AV suite.

> Besides, what's atually
> restricting inbound communication in case of private addresses is the
> convention that private IP addresses must not be routed over public
> networks. The NAT device itself doesn't have much to do with it.

Partly, but also the lack of a mapping in the state table means unsolicited
inbound is dropped.

--
zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
Assigned to protect you. You've been targeted for denigration!

Ansgar -59cobalt- Wiechers
08-12-10, 02:24 PM
za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
> On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:
>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
>>>> NAT is a feature to *enable* communication between private and
>>>> public networks.
>>>
>>> I thought that was IP masquerading.
>>
>> IP masquerading (or port address translation, PAT) is the most
>> commonly used subset of NAT nowadays.
>
> That's interesting, because I'd always understood IP masquerading to
> be the act of 'hiding' many addresses behind another. Not another name
> for PAT. It's an idea, not a physical act. Maybe I'm wrong

Yes.

[...]
>>>> The purpose of network security measures is to *restrict*
>>>> communication between networks. These are fundamentally different
>>>> concepts.
>>>
>>> It does restrict communication inbound.
>>
>> Not necessarily. Which is exactly the problem.
>
> I assume you are referring to it's inability to really tackle
> solicited outbound wrt malware.

No, that's a whole different can of worms. I'm referring to the problem
that any NAT implementation needs to make (more or less educated)
guesses about which inbound packet really relates to an established
outbound communication. Think about DNS requests for instance.

> I still don't see it as a problem, just part of a simple solution,
> when paired with an AV suite.

I like simple solution when they're reliable. NAT as a security feature,
however, isn't. Not to mention that any AV suite is as far from "simple
solution" as it gets.

>> Besides, what's atually restricting inbound communication in case of
>> private addresses is the convention that private IP addresses must
>> not be routed over public networks. The NAT device itself doesn't
>> have much to do with it.
>
> Partly, but also the lack of a mapping in the state table means
> unsolicited inbound is dropped.

See above.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Regis
08-12-10, 02:25 PM
za kAT <zakAT@super-secret-IPaddress.invalid> writes:

> Partly, but also the lack of a mapping in the state table means unsolicited
> inbound is dropped.

Not to mention that as implemented, home routers these days are far
from being just routers that implement NAT. They also act as a switch
as well as a stateful packet inspection firewall.

So, feel free to take Ansgar's rant about "NAT isn't a security
feature" as true, but a bit of an anachronistic rant of pedantry in
this context.

It's true, NAT doesn't secure anything in and of itself, but that's a
bit academic in the face of real implementations that are on the
market. Home routers are actually not all that awful for how much
functionality they pack into one box. URL filtering, http proxying
and having some easy way to have them limit outbound connections
intelligently would be a nice to have as would IDS/IPS, but the lack
of such goodies doesn't make them quite as worthless to me as Ansgar
seems to feel.


So, to the OP, what was the argument about that makes you want to
learn more about what you were arguing about?

Ansgar -59cobalt- Wiechers
08-12-10, 02:36 PM
Regis <ordsec@gmail.org> wrote:
> za kAT <zakAT@super-secret-IPaddress.invalid> writes:
>> Partly, but also the lack of a mapping in the state table means
>> unsolicited inbound is dropped.
>
> Not to mention that as implemented, home routers these days are far
> from being just routers that implement NAT. They also act as a switch
> as well as a stateful packet inspection firewall.
>
> So, feel free to take Ansgar's rant about "NAT isn't a security
> feature" as true, but a bit of an anachronistic rant of pedantry in
> this context.

Not really, because on those devices the security is provided by the
packet filtering mechanism, not by the NAT implementation. That is a
fundamental difference, even if both mechanisms are implemented on the
same device.

To make reasonable decisions security-wise, one needs to understand what
a technology can and cannot do. I do not believe in confusing people by
mixing up distinct technologies.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

David H. Lipman
08-12-10, 03:38 PM
From: "shrill chris" <plusnet@chris.millbank>

| Need an idiot's guide to NAT routers. I've having a discussion with
| someone about NATs and PFWs. I'm technical but need to check a few
| basics. TIA.

Please ask in a networking group.
It is OT for; alt.comp.freeware & alt.privacy



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

za kAT
08-12-10, 03:44 PM
On 12 Aug 2010 19:24:56 GMT, Ansgar -59cobalt- Wiechers wrote:

> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>> On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:
>>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
>>>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
>>>>> NAT is a feature to *enable* communication between private and
>>>>> public networks.
>>>>
>>>> I thought that was IP masquerading.
>>>
>>> IP masquerading (or port address translation, PAT) is the most
>>> commonly used subset of NAT nowadays.
>>
>> That's interesting, because I'd always understood IP masquerading to
>> be the act of 'hiding' many addresses behind another. Not another name
>> for PAT. It's an idea, not a physical act. Maybe I'm wrong
>
> Yes.

OK, found the answer now. IP masquerading is a slightly different PAT
service to SNAT. One for dynamic, the other for static external interfaces.


>>>>> The purpose of network security measures is to *restrict*
>>>>> communication between networks. These are fundamentally different
>>>>> concepts.
>>>>
>>>> It does restrict communication inbound.
>>>
>>> Not necessarily. Which is exactly the problem.
>>
>> I assume you are referring to it's inability to really tackle
>> solicited outbound wrt malware.
>
> No, that's a whole different can of worms. I'm referring to the problem
> that any NAT implementation needs to make (more or less educated)
> guesses about which inbound packet really relates to an established
> outbound communication. Think about DNS requests for instance.

Well I guess it doesn't know. It just knows it sent a UDP packet out on
port XXX, and what it receives back on that port it considers to be the
reply. It can probably make simple guesses, like anything for destination
port 53 will not be expecting a large reply, and there must be a timeout.

It can't take the packet apart, and examine it like a proxy.

It seems to me though that nothing can come in until a connection is made
out. The port it goes out on /should/ be fairly random, and with a timeout
it only gives small windows of opportunity.

>> I still don't see it as a problem, just part of a simple solution,
>> when paired with an AV suite.
>
> I like simple solution when they're reliable. NAT as a security feature,
> however, isn't. Not to mention that any AV suite is as far from "simple
> solution" as it gets.

Aw! come on. My AV just wor(*^(^&)^(&%(%....

--
zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
Assigned to protect you. You've been targeted for denigration!

Bear Bottoms
08-13-10, 02:46 PM
On Aug 12, 9:19*am, za kAT <za...@super-secret-IPaddress.invalid>
wrote:
> On Thu, 12 Aug 2010 18:13:24 +0200, hummingbird wrote:
>
> Go away sonny. I didn't make the original post.
>
> It's no wonder everyone take the piss out of you.
>
> --
> za...@pooh.the.cat - Sergeant Tech-Com, DN38416.
> Assigned to protect you. You've been targeted for denigration!

Kitty,I got a private email from a Native American who wants to take
on BB? Want to join our alliance?
Habby Gabby

Chris Davies
08-19-10, 03:05 PM
za kAT <zakAT@super-secret-ipaddress.invalid> wrote, regarding NAT:
> The port it goes out on /should/ be fairly random, and with a timeout
> it only gives small windows of opportunity.

You're fairly seriously ramping up the complexity there. In order to
change the source port number you either need to inspect the protocol flow
or make the originator application aware it's behind a NAT device. (Think
FTP's "PORT" command, or anything to do with SIP.)

And it's not possible to avoid changing the source port number, as the
device is handling a 1:N relationship (think of two internal devices,
both originating traffic on, say, port 12345).

NAT is a botch. A mostly-effective one, agreed. But a botch nevertheless.
Chris