Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

“To NAT or Not?”

advertisement 
“To NAT or Not?”
Kent Reuber (reuber@stanford.edu)
725-8092
Outline
•
•
•
•
•
•
•
What is NAT?
Why would you want to use NAT?
How NAT works
How NAT firewalling works
Things that don’t work with NAT
Considerations when deploying NAT
Q&A
What is NAT?
• NAT = “Net Address Translation”
• Several different methods (“one-to-one”, “many-toone”. For the gory details, see RFC 1613
• Most frequently encountered method is the one used
in home broadband routers which “hide” an entire
non-routable network range behind a single routable
“public” IP address.
• Ref: Bill Dutcher: “The NAT Handbook” (Wiley)
Why would you want to
use NAT?
• Allows you to buy a single IP address from your ISP
and share that address among a large number of
devices. (May save $$)
• All devices on the local network can access the
outside net (usually the Internet) at the same time,
though the bandwidth is shared.
• Firewall: Outside hosts can *reply* to hosts behind
the NAT router, but the inside hosts have to initiate
the session. (Note: there are some ways around
this.)
NAT router setup
• NAT routers are given two
IP’s addresses:
– 1 non-routable (LAN -- you)
– 1 routable (WAN – ISP)
• Machines on LAN side get
special non-routable
addresses (usually 10.*.*.*
or 192.168.*.*).
– No IP addresses in these
ranges are routed on the
Internet.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
How NAT works
• Normal routers maintain
source and destination IP
addresses from end-to-end
• NAT routers change IP
addresses and port
– Outgoing packets appear to
come from the NAT router’s
public address.
– NAT routers keep track of
each “flow” so that replies
can be returned.
(Destination address
changed)
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
How NAT firewalling works
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
• Suppose a host (either friendly or malicious sends a packet to
the NAT router without the connection being initiated from the
inside). Remember, it can’t send directly to the hosts on the
other side -- they have non-routable addresses!
• Since there is no entry in the flow table, the NAT router has no
idea where to forward it and drops the packet. Instant firewall!
Circumventing the NAT
firewall (if you must)
• You may want to run a server behind your NAT router. How do
you let in some traffic?
• NAT routers have a limited ability to “port forward”, sending all
traffic to a given computer on the internal net and bypassing the
flow table.
• For example:
– Send all Web traffic (port 80) to 192.168.1.3
– Send all mail traffic (port 25) to 192.168.1.5
• You can get hacked if forwarded port is vulnerable! For
example, if your IIS Web server isn’t patched, your firewall
won’t help you. Always keep services with open ports patched.
What doesn’t work through
a NAT router
• It’s best to think of NAT routers as “one way mirrors”.
– You can see out but people can’t see in.
• Protocols that break are usually servers or protocols
that are sensitive to tampering:
– X Windows: Use “ssh +X” from the client side (behind the
router) to set up your session.
– Many VPN’s won’t allow connections through NAT. NAT
packet rewriting looks like tampering. Stanford VPN can
use UDP which circumvents this limitation. Other company
VPN’s may not.
Considerations: Should
You Use NAT?
• It’s your only choice if you get 1 address from your
ISP and you want to create a network.
– For Stanford West and Welch Rd. Apts., you can get
multiple IP addresses, so that you don’t necessarily need
one.
• Firewall features may be appealing, but you may still
want a publicly accessible machine.
– May want to put one or more hosts on the public side of the
NAT (e.g., file server).
– You should keep most private information (e.g., bank
accounts) on the private side.
Example home network:
Mixed public/NAT setup
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Can/Should you use NAT
routers on campus?
• Usually done for a small group/lab, not an entire department.
Use with caution. You may want to talk to Networking first.
• You must not send DHCP replies on WAN Ethernet side as this
will disrupt other users. Disrupting network access is a great
way to get disconnected!
• If a host behind your NAT is compromised (e.g., from being
hacked while off-site), and attacks some host, we are legally
obligated to shut it down the host where the attack originates.
– The only visible address that we can disable is your NAT router.
– This will take down your whole private net!
Q&A
Related documents
Operating Systems - Shawlands Academy
Operating Systems - Shawlands Academy
File - DIVISION OF MALABON CITY
File - DIVISION OF MALABON CITY
Chapter 8
Chapter 8
Department of Computing Studies
Department of Computing Studies
Causes of the Civil War
Causes of the Civil War
Using NAT as a layer of defense
Using NAT as a layer of defense
Chp. 4b - Cisco Networking Academy
Chp. 4b - Cisco Networking Academy
Types of Computer - Shawlands Academy
Types of Computer - Shawlands Academy
Download
advertisement