Saturday, 10 November 2007

Does NAT make my system more secure?

First we have to divide our discussion. There is Static NAT, Dynamic NAT or PAT and NAT-T. Let us for this post say SNAT, DNAT / PAT and NAT-T respectively.

NAT-T (Network Address Translation- Traversal or NAT Traversal in the IKE) is a further complication and makes security with NAT more difficult/problematic. NAT-T is defined in RFCs 3947 and 3948. NAT-T is designed to solve the problems inherent in using IPSec with NAT. It adds an extra layer of complexity and insecurity that will not be covered in this already long post.

First SNAT. Static NAT maps an IP to an IP. This is a one to one mapping. Though mapping of an address/port combination may be seen as the goal, filtering ports is a function of the ACL’s on the host, not the NAT. In this situation it is possible to determine the internal IP address assigned to the system and also to send packets to it (i.e. scan it).

SNAT directly maps a system. As a consequence there is little benefit from the NAT’ing process to security. If for instance we take a Checkpoint Firewall, there are 2 sets of tables in memory. First there is the IP mapping for NAT and then there is the ACL mapping for the filter. If the ACL was to fail open – a scan of the SNAT’d address would be the same as a scan of any valid address on the Internet through a router – that is no additional protection.

So with Static NAT we see that the value is not one of added security.
The associated ACL’s do this and NOT NAT.

DNAT, PAT – aka “porting” is a feature which allows many devices on a LAN (Local Area Network) to share one IP address by allocating a unique port address at layer four. With PAT there is a VERY minimal gain in security. It filters the lower end of the script kiddies. That is it.
It is possible to scan through PAT (just not dynamically). The system will have an assigned mapping of ports to addresses and host combinations. These addresses are allocated sequentially – not using any obscuration techniques. This allows the attacker to monitor traffic and make a map of the Internal systems over time.

Coupled with the fact that NAT does not strip content at the application layer, this means that the attacker will still be able to map internal addresses – it takes more time and is more difficult than having no PAT, but can be done. In particular, HTTP will still send the client IP in a packet. An internal Proxy will help, but this is another issue. The Proxy is a separate security function and not a part of NAT/PAT and should not be taken to confuse this issue.

Further, it is possible to collect ICMP and other responses to map systems through PAT without scanning. Responses from the router that supports PAT may be collected and collated to map the internal network over time. In many cases, when a router is used for PAT this is actually the better option form the attacker as router logs are commonly not protected well and are not centralised in many cases. Even better, a router that only logs to its internal buffer can be made to flush the evidence of the attack.

Now however, DNAT does have a security benefit. There is no current (though there are theories) existing means to ACTIVELY scan an internal network through a DNAT connection (there are passive means). Yes you can piggy back to a system that is being DNAT’d and scan, but you can not initiate a scan through the DNAT to the protected network. This is good for client machines and systems that make outgoing connections only. It will not be any use to a server or connections that connect inbound. It in other words does nothing at all to protect your Internet facing web server.

Dynamic NAT requires packets to be switched through the NAT router in order to generate NAT translations in the translation table. With Cisco routers, this is done using the “ip nat inside” command. It does mean that internally addressed packets must originate from the inside. In using the “ip nat outside” command, the packets have to come from the external interface. So DNAT offers a simple anti-spoofing benefit. One that is simple to configure without NAT it must also be stated and that takes less memory on the router without NAT.
Static NAT does not require packets to be switched through the router, and translations are statically entered into the translation table. That is the router adds the SNAT entries to its routing table.

On a Cisco (and many other) routers it is allowable in the Cisco code (and hence possible) to enable the use of the same global address for PAT and Static NAT. There are security issues with this and it is better to use different global addresses.

Next NAT will not protect the internal address of the router. So if we have a router with an internal address of, it is possible to send packets to this interface. SO WHAT you say? Well this means that it is possible (without ACL’s) to have the router respond with the internal address range. So the obfuscation of the internal address range is not obtained at all from NAT. This is something that people generally think is a key benefit of NAT.

Benefits and Summary.
In DNAT translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table. This means that the attacker has to wait for an outgoing connect or attack the router.

Static NAT results in translations that reside in the NAT translation table from the moment you configure any static NAT command(s), and they remain in the translation table until you delete the static NAT command(s). So these are routed directly.

So to summarise… NAT will add some layer of security to client machines and those with outgoing connections. It will do little to protect servers that require incoming connections using SNAT. These entries are held in the routing table and it is the ACL and not NAT that protects the system.

DNAT still allows outgoing connections. ACL’s and not NAT filter this. NAT alone with no egress filters is still vulnerable to an attack. It is just more difficult.

Now to connect a shell through DNAT. (A shovelling shell).
For details, see my last post, “Escaping packets can help open the door into your network” of Thursday, November 8, 2007.
The result – the attacker has a command shell to your system through your firewall or NAT router. This even works on firewalls that block ALL incoming traffic with ACLs.

Packet filters are easily fooled and NAT offers no protection, again I have to state that a good proxy level firewall is not vulnerable and will secure your systems from this – but there are fewer and fewer of these being used.

Source routing Exploits
It may be of interest to know that many of the "low end" NAT based firewalls can be bypassed using Loose Source Routing. Even though the internal addresses are "hidden" with NAT, it is possible to route to them. More on this another time...


Sandy Shaw said...

I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
ISDN Configuration

Craig Wright said...

More will follow. I am around 4 weeks from submitting my current thesis (doctorate 2 & LAST FOR SOME TIME).

Once I have completed this, I will be back to posted.