keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| New FAQ: When is an NAT router inadequate
We had discussed this a couple of months ago, but I never got it finished. I added a bit on where to get free software firewalls.
Feedback, suggestions, and updated info for the FAQ welcome. Please post it here.
»Security »When is an NAT router inadequate protection?
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
 ·Comcast
| excellent work.
However, I might suggest changing the heading to '*how* is a NAT router' since your post and my understanding is that it's not adequate under almost any circumstances (since you have no outbound protection)
--
-Ryan
Find me in the networking and Microsoft help forums |
|
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA
1 edit | reply to keith2468
O'tay...
»/profile/304237
'scuse me... I mean:
»/metashare/298b33
Why? |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
1 edit | reply to keith2468
Yes, pretty thorough. I would only suggest an organizational change. I think I would place the NAT description, definition and history of the router first giving the reader a foundation. Then list the restrictions and limitations. And lastly recommendations. All the information is very well documented I would just suggest a bit of reorganization. Comes from reading a lot of technical documents I guess. 
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to keith2468
Ryri, they usually are adequate for keeping things out.
For people who don't use AOL, and who don't have port forwarding or the DMZ activated, there is not really a benefit in having a "SPI firewall" over a NAT router.
That said, with either an "SPI firewalls" or an NAT router there is an additional benefit if a software firewall is added.
Javaman, it would be more educational to explain about how they work first, and certainly being a techie I'd read to the end, but some people just want the quick answer. And the eyes of some people will glaze over when they get to the techie stuff.
So I want to keep the essential basics at the top.
I will look at re-organizing it though. Also I'd like to shorten it.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| reply to keith2468
Well, I think you have done a good job. If you reorganized the material and perhaps added section headings you would accomplish a couple of things. You really wouldn't need to shorten it because those who wanted just the recommendations without the "tech info" could easily find it and those who wanted more detailed information could read the whole article. Anyway, just my two cents. Good job though.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
TerryMiller
Premium
join:2003-10-23 | reply to keith2468
Great job. I believe I'll be referring many people from the networking forum to your FAQ. |
|
DaDogs
Semper Vigilantis
Premium
join:2004-02-28
Deltaville, VA | reply to keith2468
Nice, well written document. It is tough to treat the subject simply. Good work. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | reply to keith2468
Hmmm, not sure if this fits, since they would not be using the NAT router at the time. Both a laptop which might be moved or connected without the router or a system which uses dial up as a backup connection and connects without using the router, should have a software firewall.
Edit-
I guess this one falls into the same category: If you ever need to remove the NAT device to troubleshoot your connection.
--
Dog and Butterfly |
|
Martinus
Premium
join:2001-08-06
EU | reply to keith2468
Good work,Keith |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to keith2468
I don't like it much at all. Its disjointed and not easy to read. Further A NAT router's function is not security, but a bit of security is a byproduct of a feature designed for sharing internet and creating the infrastructure for a LAN.
You imply that adding a SW firewall is a good idea, whereas I view the SW firewall (as well as an up2date AV) as core requirements for good security, NAT is what I would call the additional feature that assists (basically removes all the annoying scan hits seen on the SW firewall).
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to keith2468
Frankly I don't understand the view that blocking outbound connections is worth so much. If I can get black code on your system, its over and you're owned and a software firewall isn't going to help very much. Pretty well every virus written today will drop a software firewall or any other security program running on your now infected system (for example see the write up for Gaobot.zx at »securityresponse.symantec.com/av···.zx.html also its a good idea not to use any of those listed passwords etc), so help me understand the value of outbound protection from a software firewall that is no longer running. Anyone want to comment on how successful these viruses are at dropping security software? This was one of my questions for Microsoft concerning the firewall within the new XP SP2 as surely it will become a target in the future for black applications which kill off security processes.
The primary goal is to prevent compromise, not to do ineffective damage control after a compromise. So what value does a software firewall add above and beyond an Anti-Virus program if you are already running a hardware firewall? At least with a hardware firewall I can monitor the health of all systems on the network from a central point and generally not to worry about who owns my hardware firewall (remembering to change all default passwords of course).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
| One advantage to software firewall: I'm working for a new client and have a PPTP tunnel into their Windows network. The tunnel is encrypted. My hardware firewall can't do its job because it can't inspect tunnel traffic. Therefore I need a software firewall to stop unsolicited inbound traffic from the remote network. |
|
ironwalker
World Renowned
Premium,MVM
join:2001-08-31
Keansburg, NJ
clubs:
·Optimum Online
| reply to keith2468
software firewalls are getting smarter.....process protection keeps them from being shutdown and a good strong password just for options helps seal the settings imo.
I dont believe its 100% but my personal opinion is fir3ewalls keep me in tune with what wants to send or call somewhere.......mostly i had this for spyware reasons.
--
"LIVE FREE OR DIE"www.Theforumz.com ---- www.ownt.com--First rule of fiber optics: you do not talk about fiber optics |
|
Momzilla
| reply to keith2468
The software firewall on my husband's laptop caught something trying to call out to connect to an IRC channel just this week. He is equipped with scrupulously updated NIS and operating behind a NAT router. All Windows patches in place, filesharing disabled, IE security setting high. Norton 2004 with current signatures, Panda, Housecall, TD-3, and Pestpatrol all were unable to see or identify this. But because of the data from the software firewall, we were alerted to its existence, given the name of the process, and were able to locate it, kill the process, and delete it along with the registry entries while being protected from it being able to connect with its home base.
We still don't know specifically how it got in, or even what it was. Because of my experience, I would never operate a computer connected to the net without a software firewall that had outbound connection monitoring. |
|
B
Premium,MVM
join:2000-10-28
| quote:
1. While not being "just firewalls", in their normal configurations many:1 (M:1) network address translation (NAT) routers, the kind that map one external IP address to many local computers, do effectively prevent unsolicited inbound packets reaching an internal network.
That first paragraph should probably get the boot. It's confusing to me, let alone to a security newbie. The "many:1" terminology is particularly off-putting. I know what it means, but...
-- B
--
In a realm outside causality and function |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| reply to keith2468
A couple random comments…
NAT facilitates network transport rather than security. A packet filter (stateful or not) is what provides security for the NAT box itself.
NAT breaks some applications and imposes restrictions on certain crypto communications.
NAT is not really routing stricto-senso. Calling it a NAT router is somehow inappropriate, imho. (maybe just a NAT box?)
SPI is almost as old as the Web as we know it (I doubt the home user/soho had Net access before ’93 in significant proportions).
SPI relates mainly to TCP communications (since the remaining protos ain’t connection oriented, not much “state” can be monitored).
NAT inherently performs some crude form of SPI, or even better - it relies on it.
NAT does not drop/reject packets. A packet filter does. If there’s no pf then the stack would deal with packets the NAT cannot deal with (e.g. no entry in it’s connection table)
A packet filter will see the incoming packets first. NAT “sees” them after, if allowed by the pf. Therefore the firewall function has nothing to do with NAT.
DMZ is a physically and logically separate segment from the LAN zone. If the NAT box has two interfaces AND a “DMZ” option – return it to the vendor for a refund.
Software firewall is a very ambiguous term(much like stealth). I prefer host based vs. network based as a correct differentiation. (A Linux gateway running IPTables is a perfectly solid network based “software” firewall and it offers tremendous granularity and scalability as opposed to cheap NAT boxes).
Outbound control is a myth.
rgds. |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
1 edit | reply to keith2468
Some good stuff there:
I'll work on the organization some more.
The laptop thing is a good idea.
quote:
A NAT router's function is not security, but a bit of security is a byproduct of a feature designed for sharing internet and creating the infrastructure for a LAN.
They make one-port NAT routers whose job just is security.
And anyway, ZAP and NIS have other functions than firewalling.
The question is, "Is an NAT firewall good protection?"
I think Linklogger still has a standing offer for anyone interested in demonstrating a working exploit against an NAT router. (Contact him first of course!)
The big weakness I see with SW firewalls is that they run on the PC itself and are subject to users shutting them down, hanging due to malfunctions of other SW, and conflicts with other SW. Also the free versions don't seem to have the boot time protection that the paid-for versions have.
The weakness of external FWs and NAT routers is that they don't know what is going on inside the computer.
So I believe that adequate protection for ordinary home users requires both. Which is more important isn't that important because I'm saying "get both".
Opinions?
quote:
Frankly I don't understand the view that blocking outbound connections is worth so much. If I can get black code on your system, its over and you're owned and a software firewall isn't going to help very much.
A good point, maybe that is a dated idea.
However the outbound events will give a hint that spyware is installed.
Also, if the malware is unsophisticated, the fact that it totally stops ZA running or no longer ever pops-up alerts would hopefully attract notice from the user.
Opinions?
quote:
One advantage to software firewall: I'm working for a new client and have a PPTP tunnel into their Windows network. The tunnel is encrypted. My hardware firewall can't do its job because it can't inspect tunnel traffic. Therefore I need a software firewall to stop unsolicited inbound traffic from the remote network.
I guess one difference from AOL and connecting to a company via VPN would be that the other end from the home computer would be a company network, which would not be quite so wild and so big as AOL.
So computers running VPN sort of fit in the same catagory as computers running AOL, where there is a tunnel in, but the severity of the problem may be reduced if the network at the other end is trustworthy. (Of course from a company perspective, all those employee home computers can't be trusted.)
quote:
The software firewall on my husband's laptop caught something trying to call out to connect to an IRC channel just this week. He is equipped with scrupulously updated NIS and operating behind a NAT router. All Windows patches in place, filesharing disabled, IE security setting high. Norton 2004 with current signatures, Panda, Housecall, TD-3, and Pestpatrol all were unable to see or identify this.
So they are still useful against some malware. I suspect he got a new or custom written trojan, that it was installed unintentionally along with something desired. Or it could have been a custom written virus, but those are a lot rarer.
quote:
That first paragraph should probably get the boot. It's confusing to me, let alone to a security newbie. The "many:1" terminology is particularly off-putting. I know what it means, but...
Good feedback, I want newbies to be able to get through at least into the critical first points.
I figure I'll loose a chunk of people on the description of how NAT routers work, which is why it is not up at the top, but maybe they'll come back in a few months, re-read the FAQ, and then it will click.
To make that part clear enough for a new person I'm thinking I'd need diagrams, and even then, IP addresses, ports, protocols, is really too much for newbies on the first go round.
quote:
NAT facilitates network transport rather than security. A packet filter (stateful or not) is what provides security for the NAT box itself.
That is what I want to get away from.
"An engineer is someone who can do for 50 cents what anyone can do for a dollar."
If a $60 device provides adquate protection it doesn't matter that it does other things as well or what its original purpose really was. Major companies and universities use NAT devices for firewalls. Hughes uses it for its satellite customers.
Expensive SPI devices use the NAT algorithm as part of their filtering for intrusions -- and for home and SOHO users not using port forwarding they don't provide any additional protection against the sorts of exploits those installations actually face. (See above for Linklogger's offer.)
quote:
NAT breaks some applications and imposes restrictions on certain crypto communications.
If it breaks common cryptography, like that used in MSIE or Firebird I'll mention that. Rare products that can be broken by common NAT routers should have that in their own documentation.
quote:
NAT is not really routing stricto-senso. Calling it a NAT router is somehow inappropriate, imho. (maybe just a NAT box?)
A hub sends traffic to all connected devices. A router only sends it to the device it is addressed to.
quote:
SPI is almost as old as the Web as we know it (I doubt the home user/soho had Net access before ’93 in significant proportions).
SPI relates mainly to TCP communications (since the remaining protos ain’t connection oriented, not much “state” can be monitored).
NAT inherently performs some crude form of SPI, or even better - it relies on it.
NAT is one form of SPI. I think I was maybe an early critic of the "SPI" term for routers that are basically NAT routers. The only stateful inspection most of them were doing was what that required for the NAT process. I've read others stating that SPI was invented as a marketing term and that it isn't all that old.
I myself don't know the chronology. Is there somewhere I can read about it?
The additional protection they were providing was against malformed packets.
And some high end "SPI" routers are now offering parental and employee controls, restricted websites, time-of-day controls, etc. Again, not stateful packet inspection, but rather rules.
quote:
NAT does not drop/reject packets. A packet filter does.
So what do they do with packets that come from places not in the state table if they aren't dropping those packets?
quote:
Outbound control is a myth.
Sure a real hacker can get around it, and they could create something scriptkiddies could use, but they are still working for some tools used against common home users.
It is the difference in what is effective protection for the CIA, IBM or Microsoft, and what is effective protection for a home user. (That said, next year I might take out the outbound protection bit.)
--------------
I could note things about the paid-for SW firewalls and Sygate: the ability to restrict by IP address, port, and module, but I don't want the FAQ to become too long.
--------------
Thanks for the feedback so far. I'm still open to more. |
|
qrkx
Premium
join:2003-04-26
Montreal, QC
| said by keith2468  :
If a $60 device provides adquate protection it doesn't matter that it does other things as well or what its original purpose really was. Major companies and universities use NAT devices for firewalls. Hughes uses it for its satellite customers.
You are confusing NAT with packet filtering.
said by keith2468 :
Expensive SPI devices use the NAT algorithm as part of their filtering for intrusions.......
Gimme one single example of how the NAT alg is used as part of filtering intrusions.
said by keith2468 :
If it breaks common cryptography, like that used in MSIE or Firebird I'll mention that. Rare products that can be broken by common NAT routers should have that in their own documentation.
In this day & age many soho/home users connect to work/remote offices. NAT imposes severe limitations on VPN implementations.
said by keith2468 :
A hub sends traffic to all connected devices. A router only sends it to the device it is addressed to.
Huh? So if a router forwards a broadcast packet ("all connected devices") it becomes a hub? Ummmm...ok. Besides, what is the relevance of hubs vs. routers and the fact that NAT ain't a purely routing function?
said by keith2468 :
NAT is one form of SPI. I think I was maybe an early critic of the "SPI" term for routers that are basically NAT routers. The only stateful inspection most of them were doing was what that required for the NAT process. I've read others stating that SPI was invented as a marketing term and that it isn't all that old.
SPI was developed - as a concept - by CheckPoint. (1993). It is a critical piece of the puzzle if you want to perform educated TCP traffic analysis in (almost)real time.
said by keith2468 :
The additional protection they were providing was against malformed packets.
That is called scrubbing.
said by keith2468 :
So what do they do with packets that come from places not in the state table if they aren't dropping those packets?
In the absence of a packet filter, if the packet is not translated(does not match any table entries/nat rules) it is forwarded higher up "the stack" and dealt with by the NAT boxen's TCP/IP stack (e.g. RST or SYN-ACK in the case of TCP packets)
rgds. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
·SureWest Internet
| said by qrkx :
said by keith2468 :
Expensive SPI devices use the NAT algorithm as part of their filtering for intrusions.......
Gimme one single example of how the NAT alg is used as part of filtering intrusions.
He'll have trouble finding an example, unless $50-100 Linksys/D-Link routers are considered "Expensive SPI devices." For example on my Zywall ($250) and Sonicwall ($500) routers the SPI implementation is competely independent of NAT. Turn off NAT and you are protected by the firewall rules. This gives even more protection than NAT.
said by qrkx :
said by keith2468 :
If it breaks common cryptography, like that used in MSIE or Firebird I'll mention that. Rare products that can be broken by common NAT routers should have that in their own documentation.
In this day & age many soho/home users connect to work/remote offices. NAT imposes severe limitations on VPN implementations.
That problem has been solved with NAT-traversal. Not ideal but it works. |
|
