6

Network Address Translation ( NAT ), seems to sort of act as a firewall for the hosts behind it because they are not available. Although I would never rely on this as my firewall, what are its failures as a firewall?

I am asking this for what I would call 'academic' reasons. I am aware the NAT will not protect people from getting into the firewall device itself, and that more layers of security is better. I am more interested in how if NAT was being used for this purpose, how NAT itself might be exploited.

Update, For example:
One public IP: 10.10.10.10
One LAN: 192.168.1.1/24

If all outgoing traffic from the lan has outgoing NAT to 10.10.10.10, and the only other NAT mapping is 10.10.10.10 port 80 mapped to 192.168.1.100. How might port 22 on 192.168.1.50 be accessed?

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448

5 Answers5

8

With NAT, IP addresses in the internal network are not routable from the external one; the comparison with a firewall is not completely correct, because a firewall filters network traffic which, ordinarily, should be able to flow through it; NAT reshapes traffic that ordinarily shouldn't be able to flow that way, allowing it to flow under some specific rules.

A firewall guards a door that would be otherwise open.
A NAT opens a door where there isn't one.

With a firewall you could allow all traffic from the external network to the internal protected one; with a NAT you couldn't, even if you wished.

They're two totally different things, even if they're often confused; as far as security is concerned, a private-IP network behind a NAT is actually more secure than a public-IP network behind a firewall.

Update to respond to your example

That's exactly what I was talking about; in your case, 192.168.1.50 isn't addressable from the outside, so there's absolutely no way it can be accessed, unless you explicitely forward some external IP/port to it.

Community
  • 1
Massimo
  • 70,200
  • 57
  • 200
  • 323
  • So for the best security you NAT behind a firewall? – prestomation Sep 09 '09 at 12:57
  • It's always better to have as many layers of security as possible; if your NAT device is behind a firewall, you can protect *it* from being compromised. – Massimo Sep 09 '09 at 13:06
  • With the 'There is *no way*', that is what I am looking for, I am wondering if there might be ways. Maybe by guessing the port overloading, session hijacking, or something like that. – Kyle Brandt Sep 09 '09 at 13:30
  • Even if you was able to hijack sessions from the outside, you still would not be able to send a packet to a given port on a given internal IP address, unless a connection with the same IP/port as its source was initiated from inside. – Massimo Sep 09 '09 at 13:34
  • Note that you are supposing I'm always NATing a "private net" (that is the common use), but technically speaking there is no reason for a NAT to not act on perfectly valid and routable IPs – drAlberT Sep 09 '09 at 14:10
  • 1
    Technically true, but I think it would be quite strange to NAT a set of public IP addresses that would be otherwise routed through exactly the same gateway. – Massimo Sep 09 '09 at 14:13
  • 1
    @Myself: never say "never". I recently started working at a place that actually uses *PUBLIC* IPs in its network, but each office has its own Internet connection which uses *other* public IPs. And yes, there's NAT. But the reason here is that those public internal IPs wouldn't ordinarily be routed via the ISP links, but via a WAN connection and the main HQ Internet link. Anyway, yes, public IPs can be NATted under certain circumstances. – Massimo Jan 28 '11 at 14:44
2

By default, a simple NAT would drop or reject any incoming connection to a non-mapped port. That by itself is the first and most important feature of a firewall. So yes, a NAT works as a limited firewall.

But there are two important limitations:

  1. By default, a NAT doesn't block any outgoing connection, so you're vulnerable to any kind of infection that gets inside somehow. The simplest example is a malicious webpage or email attachment. In many cases, these malware include very limited code in the first load, and need some 'assistance' from the outside. If you have a firewall with tight restrictions, it could block that step, stopping or slowing the damage.

    • A NAT's primary function is to facilitate connection, not to block it. Therefore it's usually desirable to offer some way to circumvent the inherent NAT limitation on incoming connections. UPnP, STUN, Teredo, SOCKS, etc. all make possible for a machine in your network to ask for incoming connections. A NAT that doesn't make them possible is seen as overly and needlessly restrictive; so the 'ideal' scenario is one where the NAT allows easy 'hole punching' and a proper firewall allows the administrator to apply policies.
Javier
  • 9,268
  • 2
  • 24
  • 24
1

In general, a perimeter device (NAT Router/Firewall, etc.) can be exploited due to implementation errors (like allowing admin access or uPnP (see https://community.rapid7.com/docs/DOC-2150 ) from an external interface), or human operator errors (like opening up a hole for port forwarding, and forgetting it's there).

Firewalls are more complicated, and therefore more prone to human errors. Neither will protection you from social engineering, phishing, etc. Higher-level packet inspection firewalls can detect malware.

Other potential flaws may be caused in implementation problems in other equipment, such as a vulnerability in system exposed by port forwarding, uPnP, etc. Because the NAT router forwards packets to a device, the device must therefore protect itself. BTW Some people suggest a double-NAT setup, with the more secure services behind two NAT routers, and bit-torrent, gaming console and bitcoin miners just protected by the single NAT router.

One potential attack vector would be the use of UDP-based traffic that is exposed by the NAT process, as UDP has no state - the protocol must authenticate session state, and it could be flawed. NAT routers open up a UDP port for a period of time, and it uses a timeout to close them, combined with the IP address of the remote connection. (A TCP session has a F-flag to indicate the session is finished). See http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html for the type of problem UDP can cause.

Bruce Barnett
  • 111
  • 1
1

There are different scenarios:

  1. you don't have to expose any service via port forwarding, so your NAT is completely one-sense for connection in NEW state
  2. you have to act a port forwarding on the NAT device in order to expose one or more public service
  3. you blindly think every PC and user behind your NAT is safe against a number of indirect attacks:
    • social engineering
    • viruses/Trojans
    • bad intentions
    • whatever a "user" can do in order to mine the security from the inside

If you use a NAT and no real FW the consequences are that:
- point 1 is secure as much as the point 3 can be
- if you expose services I can use them to gain access to the LAN (of course)
- I can mail a Trojan, a malware or whatever you want that is able to open a reverse shell, or more generally to act as a reverse connection.

In all this cases you would be able to gain a better protection if you had been behind a real FW.

For the same reasons I filter outgoing traffic on my FW/servers too. In order to limit as much as possible the possibility of opening reverse connections.

Q: How might port 22 on 192.168.1.50 be accessed?
A: Find a way (see above) to install a reverse connection program in a PC or server inside the LAN, than it is trivial to access everything inside the LAN, as you are inside. Just an ssh -L can do the job

drAlberT
  • 10,949
  • 7
  • 39
  • 52
  • Every network can be easily compromised if you have someone/something inside. You can tunnel almost anything in HTTP/S, which every firewall will be more than happy to let pass. Besides, a NAT device usually **can** filter traffic and let only pass given protocol/ports, I've never seen a router which will just blidly let everything go. – Massimo Sep 09 '09 at 19:08
  • NAT is not a device, is a networking technique. A NAT device that usually filter is a device that acts as FW+NAT. Moreover we are not talking about the perfect secure network (as it is the one disconnected), but about the eventual improvement to security that a FW can give over a simple NAT (without FW-ing capabilities). – drAlberT Sep 10 '09 at 08:34
0

You would have to hack a connection to break through to the inside network, but it could be done. A man in the middle attack would be first thing that comes to my mind... This is where a real firewall would be better over a NAT box. A firewall can have intelligence (IPS Intrusion Prevention) built in to watch for common exploits.
BTW, a true NAT box just uses the NAT lookup table to change the IP addresses of the inside clients to external addresses. What most people think of a NAT box is truly a PAT (Port Address Translation). One external IP and many internal IP addresses. In this case, both the IP address and the originating source port are translated.

In conclusion, an true NAT box is easy to get through. A PAT box is harder, but could still be compromised with a pretty basic attack.

Scott Lundberg
  • 2,364
  • 2
  • 14
  • 22
  • -1 for inaccuracy: "A firewall has intelligence built in to watch for common exploits." I think you are getting confused with an Intrusion Prevention System (IPS), (even though you could make the case that an IPS is essentially a layer 7 firewall...) The point is that in general, a firewall does not have built in intel for common exploits--You have to write rules to allow/disallow traffic.. – Josh Brower Sep 09 '09 at 17:02
  • @Josh, I agree that I was thinking of IPS when I said that, but if you use the definition from Wikipedia for a firewall, it still fits.
    A firewall is a dedicated appliance, or software running on a computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.
    I have edited my post to make that clear.     – Scott Lundberg Sep 09 '09 at 18:42