|
What does a NAT router do?
A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The "Network Address Translation" (NAT) performed by the router allows multiple computers (machines) connected to the LAN behind the router to communicate with the external Internet. The most common use for NAT routers is serving as an "interface" between the global public WAN Internet and a private non-public LAN: |
One of the key benefits of NAT routers (and the main reason for their purchase by residential and small office users) is that the router appears to the Internet as a single machine with a single IP address. This effectively masks the fact that many computers on the LAN side of the router may be simultaneously sharing that single IP. This is good for the Internet since it helps to conserve the Net's limited IP space.
While some ISPs may grumble a bit about the idea of many computers sharing a single "Internet account", they are also relieved, since each ISP has a limited allocation of customer IPs. Therefore, as home and office networks grow in size, NAT routers are ISP-friendly.
A few important bits of terminology we are about to need:
A NAT Router's Inherent Security
The reason they do this is very simple: With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets.
How is this done?
When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN.
And here's the really good part: With a NAT router protecting your connection to the Internet even if you only have one computer on the LAN behind the router none of the Internet scanning and worms and hackers and other annoying and malicious Internet nonsense can get to your computer or computers. If the NAT router isn't already expecting the incoming data, because one of the machines on the LAN asked for it from the Internet, the router silently discards it and your private network is never bothered. So now that we have the basics . . .
|
When designing your own Internet "plumbing" it's
Packets of data can freely flow from the secure LAN out to the insecure
Also, a multi-port NAT router is two components in one box:
useful to think of a NAT router as a one-way valve.
WAN, but "unsolicited" traffic attempting to flow in from the insecure
WAN to the secure LAN is automatically blocked from entering.
As you can see from the block diagram above, internally a NAT router is a standard network switch interconnecting the machines plugged into the router to the router's network address translation WAN interface.
What's significant for our discussion is that all of the internal machines are interconnected on the same LAN. This is convenient for sharing files and data among the machines, but it creates a security problem if all of the machines are not equally secure and trustworthy. If any malware or Trojan software were to somehow get onto any one of the machines, and that machine is on the LAN with all of the others (as it normally is), the malicious software would have access to every other uninfected machine sharing the once-secure LAN. By sending "ARP broadcasts" to the LAN, an infected machine can determine the IP and "MAC" addresses of every other machine on the LAN . . . and go to work on them. Malicious hackers know all about this LAN-side vulnerability. This is why many recent viruses and worms attempt to spread not only by scanning the Internet for additional vulnerable targets, but they also attempt to spread locally through Windows file sharing, RPC vulnerabilities, and many other well-known Windows insecurities. Once one machine gets hit, every machine on the LAN can fall victim.
What can be done to improve LAN security with multiple machines?
|
Yes, this works! NAT routers can be cascaded "IN SERIES" and used as one-way security flow valves. Looking at the diagram above:
Machines on the "Semi-Secure" (middle) LAN can access the Internet, but they are protected by the "External NAT" from most Internet badness. Machines on the "Super-Secure" internal LAN can also access the Internet, first by going out through the "Internal NAT" and then the "External NAT". As with machines on the Semi-Secure LAN, the "External NAT" will keep unsolicited traffic from entering the network. Because the Semi-Secure LAN is on the OUTSIDE (WAN side) of the Internal NAT, the machines on the Semi-Secure LAN are unable to freely access the machines behind the Internal NAT. The machines behind the Internal NAT can access the machines in the middle, but NOT the other way around!
Where would TWO NAT routers be useful?
Let's look at each application in turn:
|
As you might imagine, a router's "DMZ" machine, and even a "port forwarded" machine needs to have substantial security or it will be crawling with Internet fungus in no time. That's a BIG problem from a security standpoint. Why? |
As the NAT router block diagram above shows, a NAT router has a standard Ethernet switch interconnecting ALL of its LAN-side ports. There's nothing "separate" about the port hosting the special "DMZ" machine. It's on the internal LAN! This means that anything that might crawl into it through a forwarded router port, or due to its being the DMZ host, has access to every other machine on the internal private LAN. (That's really bad.)
What can be done to create a super-secure internal LAN, while still allowing the flexibility of having one or more security-challenged DMZ or port-forwarded machines? Just use a secondary NAT router: |
Remember that NAT routers are like one-way flow valves for data: |
Data can flow freely OUT through the router from the LAN to the WAN, but unsolicited data is blocked from flowing back IN from the WAN to the LAN. Since there is nothing to prevent TWO NAT routers from being "chained" and connected in series, the security-challenged machine can be completely isolated from the internal network by sandwiching it in between the two chained routers. It's behind the external router and in front of the internal router. Since it's in front of the internal router, its traffic can not flow into the internal LAN, but it can still reach the Internet (through the external router) . . . and the users on the internal LAN can reach it since it's outside the internal LAN.
Now let's look at the second typical application:
|
Since the wireless access point radio is simply on the external router's LAN switch, ANYONE who has, or gains, access to your wireless network is also on the rest of your LAN and can directly access any of your other machines.
You can leave your old and not-so-secure WEP Wi-Fi access point right where it is by adding a second NAT router to protect your LAN from any dangers created by the wireless router: |
Our final application example:
For example, suppose that each of your teenage kids has their own computer connected to your shared "family" LAN created by a single NAT router. Or you might be the boss in a small office, where everyone in the office is sharing a single NAT router. In either case, you might not like the idea, for whatever reason, of having your (dad or boss) computer on the same LAN network as everyone else. If your kids or employees were to get themselves infected, download or bring something really nasty home from school, it could quickly spread to all "peer" machines connected to the same LAN network. So in this case the main LAN, as opposed to a single high-risk machine, is the "scary zone" and you want to protect your single "high-value" machine from anything that might be going on out on that network. So this time you give your single machine its own "one-way security valve" NAT router. The router participates on the LAN with the other high-risk "scary" computers while preventing anything out there from crawling into your machine: |
As we have seen, NAT routers make valuable network security devices and offer much more flexibility than just being used to interface a local network to the Internet. They can also be used as "one-way security valves" to create layers of protected sub-networks.
We have more NAT router tips & tricks in store. So stay tuned!
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Aug 08, 2006 at 20:35 (6,695.83 days ago) | Viewed 74 times per day |