Results 1 to 17 of 17

Thread: NAT router info please

  1. #1
    shrill chris
    Guest

    NAT router info please

    Need an idiot's guide to NAT routers. I've having a discussion with
    someone about NATs and PFWs. I'm technical but need to check a few
    basics. TIA.

    --
    Help destroy A C F for its own good.


  2. #2
    Ansgar -59cobalt- Wiechers
    Guest

    Re: NAT router info please

    In comp.security.firewalls shrill chris <plusnet@chris.millbank> wrote:
    > Need an idiot's guide to NAT routers. I've having a discussion with
    > someone about NATs and PFWs. I'm technical but need to check a few
    > basics. TIA.


    NAT is not a security feature and PFWs are crap. What else do you need
    to know?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. #3
    Rick
    Guest

    Re: NAT router info please

    Ansgar -59cobalt- Wiechers wrote:
    > In comp.security.firewalls shrill chris<plusnet@chris.millbank> wrote:
    >> Need an idiot's guide to NAT routers. I've having a discussion with
    >> someone about NATs and PFWs. I'm technical but need to check a few
    >> basics. TIA.

    >
    > NAT is not a security feature and PFWs are crap. What else do you need
    > to know?
    >
    > cu
    > 59cobalt


    what? Pro Football Weekly (sometimes shortened to PFW)?!

    "Routers" can provide port forwarding (independently of NAT).

    If you are not running a server, NAT provides minimum security
    by hiding your computers Internal addresses.



  4. #4
    za kAT
    Guest

    Re: NAT router info please

    On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:

    > In comp.security.firewalls shrill chris <plusnet@chris.millbank> wrote:
    >> Need an idiot's guide to NAT routers. I've having a discussion with
    >> someone about NATs and PFWs. I'm technical but need to check a few
    >> basics. TIA.

    >
    > NAT is not a security feature and PFWs are crap.



    | What else do you need to know?

    | NAT is not a security feature

    Why?

    --
    zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
    Assigned to protect you. You've been targeted for denigration!

  5. #5
    Ansgar -59cobalt- Wiechers
    Guest

    Re: NAT router info please

    za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    > On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
    > | NAT is not a security feature
    >
    > Why?


    Because it wasn't designed (nor intended) to be one. NAT is a feature to
    *enable* communication between private and public networks. The purpose
    of network security measures is to *restrict* communication between
    networks. These are fundamentally different concepts.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  6. #6
    za kAT
    Guest

    Re: NAT router info please

    On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:

    > za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>| NAT is not a security feature
    >>
    >> Why?

    >
    > Because it wasn't designed (nor intended) to be one.


    > NAT is a feature to
    > *enable* communication between private and public networks.


    I thought that was IP masquerading.

    NAT just seems to be a way negating the need to update routing tables
    beyond the routers external interface to reflect what networks are behind
    the NAT router.

    > The purpose
    > of network security measures is to *restrict* communication between
    > networks. These are fundamentally different concepts.


    It does restrict communication inbound.


    --
    zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
    Assigned to protect you. You've been targeted for denigration!

  7. #7
    deconstructing Stubbings bollix
    Guest

    Re: NAT router info please

    "John Stubbings" (aka "za kAT") posting as shrill Chris scribbled:

    > Need an idiot's guide to NAT routers. I've having a discussion with
    > someone about NATs and PFWs.


    Nope. You jumped into another person's discussion and started
    shouting/screaming "I know everything, you're all ****ing idiots"
    but then found yerself in a big hole.

    >I'm technical but need to check a few basics. TIA.


    Nope. You *think* you are an expert. Different issue.

    Stubbings,
    Of course *you* need an idiot's guide, that's been obvious for a very
    long time. No doubt that's why you didn't have the spine to post this
    silly troll using one of scores of your own discredited socks. <sigh>

    Please give us a break from your k00kery, there's a good *****.
    Else I'll set Blitz The Dog onto you.



    -deconstructing Stubbings bollix


  8. #8
    za kAT
    Guest

    Re: NAT router info please

    On Thu, 12 Aug 2010 18:13:24 +0200, hummingbird wrote:

    Go away sonny. I didn't make the original post.

    It's no wonder everyone take the piss out of you.

    --
    zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
    Assigned to protect you. You've been targeted for denigration!

  9. #9
    Ansgar -59cobalt- Wiechers
    Guest

    Re: NAT router info please

    za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    > On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
    >> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>>| NAT is not a security feature
    >>>
    >>> Why?

    >>
    >> Because it wasn't designed (nor intended) to be one.

    >
    >> NAT is a feature to *enable* communication between private and public
    >> networks.

    >
    > I thought that was IP masquerading.


    IP masquerading (or port address translation, PAT) is the most commonly
    used subset of NAT nowadays. It's correct that NAT is not limited to
    remapping private to public addresses and vice versa, but even though,
    it's still a technology invented to enable rather than restrict
    communication.

    >> The purpose of network security measures is to *restrict*
    >> communication between networks. These are fundamentally different
    >> concepts.

    >
    > It does restrict communication inbound.


    Not necessarily. Which is exactly the problem. Besides, what's atually
    restricting inbound communication in case of private addresses is the
    convention that private IP addresses must not be routed over public
    networks. The NAT device itself doesn't have much to do with it.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  10. #10
    za kAT
    Guest

    Re: NAT router info please

    On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:

    > za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >>>> On 12 Aug 2010 13:47:20 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>>>| NAT is not a security feature
    >>>>
    >>>> Why?
    >>>
    >>> Because it wasn't designed (nor intended) to be one.

    >>
    >>> NAT is a feature to *enable* communication between private and public
    >>> networks.

    >>
    >> I thought that was IP masquerading.

    >
    > IP masquerading (or port address translation, PAT) is the most commonly
    > used subset of NAT nowadays.


    That's interesting, because I'd always understood IP masquerading to be the
    act of 'hiding' many addresses behind another. Not another name for PAT.
    It's an idea, not a physical act. Maybe I'm wrong, I couldn't quickly find
    a good definition.

    Whereas NAT, which you rightly point out as usually meaning PAT/NAPT is a
    physical act. Maybe you're right, I dunno, but true NAT[1:1] still hides an
    address.

    > It's correct that NAT is not limited to
    > remapping private to public addresses and vice versa, but even though,
    > it's still a technology invented to enable rather than restrict
    > communication.


    Yeah but, a hammer was designed to knock nails in, but it can still be an
    offensive weapon.

    >>> The purpose of network security measures is to *restrict*
    >>> communication between networks. These are fundamentally different
    >>> concepts.

    >>
    >> It does restrict communication inbound.

    >
    > Not necessarily. Which is exactly the problem.


    I assume you are referring to it's inability to really tackle solicited
    outbound wrt malware. I still don't see it as a problem, just part of a
    simple solution, when paired with an AV suite.

    > Besides, what's atually
    > restricting inbound communication in case of private addresses is the
    > convention that private IP addresses must not be routed over public
    > networks. The NAT device itself doesn't have much to do with it.


    Partly, but also the lack of a mapping in the state table means unsolicited
    inbound is dropped.

    --
    zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
    Assigned to protect you. You've been targeted for denigration!

  11. #11
    Ansgar -59cobalt- Wiechers
    Guest

    Re: NAT router info please

    za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    > On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:
    >> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>>> NAT is a feature to *enable* communication between private and
    >>>> public networks.
    >>>
    >>> I thought that was IP masquerading.

    >>
    >> IP masquerading (or port address translation, PAT) is the most
    >> commonly used subset of NAT nowadays.

    >
    > That's interesting, because I'd always understood IP masquerading to
    > be the act of 'hiding' many addresses behind another. Not another name
    > for PAT. It's an idea, not a physical act. Maybe I'm wrong


    Yes.

    [...]
    >>>> The purpose of network security measures is to *restrict*
    >>>> communication between networks. These are fundamentally different
    >>>> concepts.
    >>>
    >>> It does restrict communication inbound.

    >>
    >> Not necessarily. Which is exactly the problem.

    >
    > I assume you are referring to it's inability to really tackle
    > solicited outbound wrt malware.


    No, that's a whole different can of worms. I'm referring to the problem
    that any NAT implementation needs to make (more or less educated)
    guesses about which inbound packet really relates to an established
    outbound communication. Think about DNS requests for instance.

    > I still don't see it as a problem, just part of a simple solution,
    > when paired with an AV suite.


    I like simple solution when they're reliable. NAT as a security feature,
    however, isn't. Not to mention that any AV suite is as far from "simple
    solution" as it gets.

    >> Besides, what's atually restricting inbound communication in case of
    >> private addresses is the convention that private IP addresses must
    >> not be routed over public networks. The NAT device itself doesn't
    >> have much to do with it.

    >
    > Partly, but also the lack of a mapping in the state table means
    > unsolicited inbound is dropped.


    See above.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  12. #12
    Regis
    Guest

    Re: NAT router info please

    za kAT <zakAT@super-secret-IPaddress.invalid> writes:

    > Partly, but also the lack of a mapping in the state table means unsolicited
    > inbound is dropped.


    Not to mention that as implemented, home routers these days are far
    from being just routers that implement NAT. They also act as a switch
    as well as a stateful packet inspection firewall.

    So, feel free to take Ansgar's rant about "NAT isn't a security
    feature" as true, but a bit of an anachronistic rant of pedantry in
    this context.

    It's true, NAT doesn't secure anything in and of itself, but that's a
    bit academic in the face of real implementations that are on the
    market. Home routers are actually not all that awful for how much
    functionality they pack into one box. URL filtering, http proxying
    and having some easy way to have them limit outbound connections
    intelligently would be a nice to have as would IDS/IPS, but the lack
    of such goodies doesn't make them quite as worthless to me as Ansgar
    seems to feel.


    So, to the OP, what was the argument about that makes you want to
    learn more about what you were arguing about?


  13. #13
    Ansgar -59cobalt- Wiechers
    Guest

    Re: NAT router info please

    Regis <ordsec@gmail.org> wrote:
    > za kAT <zakAT@super-secret-IPaddress.invalid> writes:
    >> Partly, but also the lack of a mapping in the state table means
    >> unsolicited inbound is dropped.

    >
    > Not to mention that as implemented, home routers these days are far
    > from being just routers that implement NAT. They also act as a switch
    > as well as a stateful packet inspection firewall.
    >
    > So, feel free to take Ansgar's rant about "NAT isn't a security
    > feature" as true, but a bit of an anachronistic rant of pedantry in
    > this context.


    Not really, because on those devices the security is provided by the
    packet filtering mechanism, not by the NAT implementation. That is a
    fundamental difference, even if both mechanisms are implemented on the
    same device.

    To make reasonable decisions security-wise, one needs to understand what
    a technology can and cannot do. I do not believe in confusing people by
    mixing up distinct technologies.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  14. #14
    David H. Lipman
    Guest

    Re: NAT router info please

    From: "shrill chris" <plusnet@chris.millbank>

    | Need an idiot's guide to NAT routers. I've having a discussion with
    | someone about NATs and PFWs. I'm technical but need to check a few
    | basics. TIA.

    Please ask in a networking group.
    It is OT for; alt.comp.freeware & alt.privacy



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  15. #15
    za kAT
    Guest

    Re: NAT router info please

    On 12 Aug 2010 19:24:56 GMT, Ansgar -59cobalt- Wiechers wrote:

    > za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >> On 12 Aug 2010 16:44:35 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>> za kAT <zakAT@super-secret-ipaddress.invalid> wrote:
    >>>> On 12 Aug 2010 15:31:31 GMT, Ansgar -59cobalt- Wiechers wrote:
    >>>>> NAT is a feature to *enable* communication between private and
    >>>>> public networks.
    >>>>
    >>>> I thought that was IP masquerading.
    >>>
    >>> IP masquerading (or port address translation, PAT) is the most
    >>> commonly used subset of NAT nowadays.

    >>
    >> That's interesting, because I'd always understood IP masquerading to
    >> be the act of 'hiding' many addresses behind another. Not another name
    >> for PAT. It's an idea, not a physical act. Maybe I'm wrong

    >
    > Yes.


    OK, found the answer now. IP masquerading is a slightly different PAT
    service to SNAT. One for dynamic, the other for static external interfaces.


    >>>>> The purpose of network security measures is to *restrict*
    >>>>> communication between networks. These are fundamentally different
    >>>>> concepts.
    >>>>
    >>>> It does restrict communication inbound.
    >>>
    >>> Not necessarily. Which is exactly the problem.

    >>
    >> I assume you are referring to it's inability to really tackle
    >> solicited outbound wrt malware.

    >
    > No, that's a whole different can of worms. I'm referring to the problem
    > that any NAT implementation needs to make (more or less educated)
    > guesses about which inbound packet really relates to an established
    > outbound communication. Think about DNS requests for instance.


    Well I guess it doesn't know. It just knows it sent a UDP packet out on
    port XXX, and what it receives back on that port it considers to be the
    reply. It can probably make simple guesses, like anything for destination
    port 53 will not be expecting a large reply, and there must be a timeout.

    It can't take the packet apart, and examine it like a proxy.

    It seems to me though that nothing can come in until a connection is made
    out. The port it goes out on /should/ be fairly random, and with a timeout
    it only gives small windows of opportunity.

    >> I still don't see it as a problem, just part of a simple solution,
    >> when paired with an AV suite.

    >
    > I like simple solution when they're reliable. NAT as a security feature,
    > however, isn't. Not to mention that any AV suite is as far from "simple
    > solution" as it gets.


    Aw! come on. My AV just wor(*^(^&)^(&%(%....

    --
    zakAT@pooh.the.cat - Sergeant Tech-Com, DN38416.
    Assigned to protect you. You've been targeted for denigration!

  16. #16
    Bear Bottoms
    Guest

    Re: NAT router info please

    On Aug 12, 9:19*am, za kAT <za...@super-secret-IPaddress.invalid>
    wrote:
    > On Thu, 12 Aug 2010 18:13:24 +0200, hummingbird wrote:
    >
    > Go away sonny. I didn't make the original post.
    >
    > It's no wonder everyone take the piss out of you.
    >
    > --
    > za...@pooh.the.cat - Sergeant Tech-Com, DN38416.
    > Assigned to protect you. You've been targeted for denigration!


    Kitty,I got a private email from a Native American who wants to take
    on BB? Want to join our alliance?
    Habby Gabby

  17. #17
    Chris Davies
    Guest

    Re: NAT router info please

    za kAT <zakAT@super-secret-ipaddress.invalid> wrote, regarding NAT:
    > The port it goes out on /should/ be fairly random, and with a timeout
    > it only gives small windows of opportunity.


    You're fairly seriously ramping up the complexity there. In order to
    change the source port number you either need to inspect the protocol flow
    or make the originator application aware it's behind a NAT device. (Think
    FTP's "PORT" command, or anything to do with SIP.)

    And it's not possible to avoid changing the source port number, as the
    device is handling a 1:N relationship (think of two internal devices,
    both originating traffic on, say, port 12345).

    NAT is a botch. A mostly-effective one, agreed. But a botch nevertheless.
    Chris

Similar Threads

  1. How does port triggering work?
    By mike in forum alt.comp.networking.routers
    Replies: 11
    Last Post: 02-27-10, 09:50 PM
  2. modem, router help, please
    By petemag in forum General Broadband Forum
    Replies: 1
    Last Post: 02-12-10, 11:21 PM
  3. Router will not remember password
    By Captain America in forum alt.comp.networking.routers
    Replies: 7
    Last Post: 08-11-09, 09:07 PM
  4. Wireless Router Can't See Wireless Device
    By M.L. in forum alt.internet.wireless
    Replies: 29
    Last Post: 08-05-09, 03:21 AM
  5. Connecting to my Domain Controller rather than my NAT router
    By LawrenceW in forum Networking Forum
    Replies: 14
    Last Post: 12-01-06, 05:29 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •