Monday, March 31, 2008

Network Address Translation (NAT)

Network Address Translation (NAT) was deemed acceptable for a short-term solution in RFC1631 to combat IPv4 address depletion. It allows registered public IP addresses to be shared by several hosts on private network. Although it can be used to translate between any two IP addresses, NAT is most often used to map IP addresses between non-routable private and public addresses. Any computers with unregistered IP addresses must use NAT to communicate with the rest of the world.

Mechanism

NAT router converts private addresses in each IP packet into legally registered public ones. NAT is commonly supported by WAN access routers and firewalls devices. NAT works by creating bindings between addresses. NAT router transforms only the network part of the address, and leaves the host part intact. But if the payload carries source and destination IP addresses, the payload of the packet must also be considered during the translation process. NAT route updates IP checksums in IP packets, and further regenerates TCP checksums if TCP packets transverse the NAT router.

Types of NAT

1 NAT types upon the mapping configuration

There have been classified into four types of NAT upon the mapping configuration between private and public IP addresses: Static, Dynamic, Overloading, and Overlapping.

Static NAT: One-to-one mapping between public and private addresses. For example, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.

Dynamic NAT: One-of-multiple registered public IP addresses mapping. For example, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.


Overloading NAT: One-to-one service port of a single registered public IP address (known also as Port Translation (PAT)). Each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.

Overlapping NAT: Internal address in private network to external address in public network mapping. Both internal and external addresses are unique to private network. For example, the internal IP range (237.16.32.xx) is also a registered range used by another network. The NAT router translates the address to unique public address to avoid conflicts with other networks.



2 Behavior-NAT types with respect to UDP-based bindings

UDP is different from TCP to traverse NAT router. There is no explicit session state within a NAT for UDP packet exchange so that various NAT routers behave differently upon UDP bindings. These have been classified into four types of NAT behaviors with respect to UDP-based bindings: symmetric, full-cone, restricted-cone, port-restricted-cone.

Security features

1 NAT and IPsec

NAT makes IPsec complicated. The IPSec Authentication Header (AH) is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. NAT modifies IP packets such that NAT cannot simply work with IPsec AH. AH produces a keyed hash over the entire IP packet through a message digest algorithm. If any field in the original IP packet is modified, the recipient will discard the packet with the failure of authentication shown in the following figure.



The IPsec Encapsulating Security Payload (ESP) also employs a message digest algorithm for packet authentication.

Unlike the AH header, the IP packet header is not accounted for the hash created by ESP. When TCP or UDP are involved in transport mode ESP, NAT modifies the TCP packet, and recalculates the checksum used to verify integrity. If NAT updates the TCP checksum, ESP authentication will fail. If NAT does not modify the checksum, TCP verification will fail unless the verification is turned off under your control. NAT tampers with end-to-end message integrity. For example,

2 IPsec NAT Transparency

A standard IPsec virtual private network (VPN) tunnel would not work to deliver the IPSec packet through NAT. IPsec NAT Transparent are required to allowe remote access users to build IPsec tunnels to home gateways, called NAT IPsec-aware. Cisco now provides NAT IPsec-ware solution. In practice, there are a lot of issues to be solved. For example, IPsec NAT-T is not recommended for Windows Server 2003 computers that are behind network address translators.


Possible Attacks to NAT

There are four possible types of attack to NAT:

1 Source Spoofing

An attacker will use a fake source IP address and will inject malicious packets into the network. All you need is one packet with external source IP, destination IP of public NAT address and the port number. Attacker can send malicious packets and can blow away the server.

2 Host Counting

An attacker can use “ID” field of IP header. The ID field of IP packets is implemented as sequential counters. NAT boxes do not change the counters. So, by building sequences of IDs that match within reasonable gap and time bounds, one can infer the actual number of machines in a trace.

3 Fingerprinting

Every TCP/IP implementation is different. Hence, every TCP/IP stack is unique. There are different values for TTL (Time to Live), SEQ, flags, etc. By carefully studying the differences of these fields, it is possible to identify the OS.

4 Network Mapping

There are different types of technique used for mapping the network. One of the techniques is ICMP TTL Exceeded. Attacker injects packets with low TTL values, so that it reaches inside the NAT and then internal routers generate TTL exceeded replies. Attacker uses these messages to carefully map the internal network.

NAT Pros and Cons

Pros:

  • Hosts in private network can share limited public IP addresses.
  • Dynamic NAT is natural firewall between private network and public networks/Internet. A computer on an external network cannot connect to your computer unless your computer has initiated the contact.

Cons:

  • Breaks end-to-end connectivity model. Breaks certain applications based on NAT-sensitive protocols. NAT needs to re-compute TCP checksums so that it requires the TCP header is not encrypted. For instance, the TCP checksum field in the TCP header cannot be modified in IPsec transport mode. Many application protocols like FTP carry IP addresses in an application-level protocol. In this case, an Application-Level Gateway (ALG) is required to complete the translation.


Conclusion

Technically, NAT is a firewall. Dynamic NAT is natural firewall between private network and public networks/Internet. But NAT is not designed for firewall. NAT can reuse Ipv4 addresses. Hosts in private network can share limited public IP addresses. It also delays the deployment of IPv6. NAT breaks end-to-end connectivity model.

Thursday, March 6, 2008

Privacy Policy

Privacy Policy for advanced-network-security.blogspot.com

The privacy of our visitors to advanced-network-security.blogspot.com is important to us.

At advanced-network-security.blogspot.com, we recognize that privacy of your personal information is important. Here is information on what types of personal information we receive and collect when you use visit advanced-network-security.blogspot.com, and how we safeguard your information. We never sell your personal information to third parties.

Log Files
As with most other websites, we collect and use the data contained in log files. The information in the log files include your IP (internet protocol) address, your ISP (internet service provider, such as AOL or Shaw Cable), the browser you used to visit our site (such as Internet Explorer or Firefox), the time you visited our site and which pages you visited throughout our site.

Cookies and Web Beacons
We do use cookies to store information, such as your personal preferences when you visit our site. This could include only showing you a popup once in your visit, or the ability to login to some of our features, such as forums.

Third party advertisement programs
We also use third party advertisements on www.Soft2Secure.com to support our site. Some of these advertisers may use technology such as cookies and web beacons when they advertise on our site, which will also send these advertisers (such as Google through the Google AdSense program) information including your IP address, your ISP , the browser you used to visit our site, and in some cases, whether you have Flash installed. This is generally used for geotargeting purposes (showing New York real estate ads to someone in New York, for example) or showing certain ads based on specific sites visited (such as showing cooking ads to someone who frequents cooking sites).

Your right to turn off cookies
You can choose to disable or selectively turn off our cookies or third-party cookies in your browser settings, or by managing preferences in programs that named as Internet Security. However, this can affect how you are able to interact with our site as well as other websites. This could include the inability to login to services or programs, such as logging into forums or accounts.

AdSense Privacy Policy provided by JenSense and revised by Tanakom