26

I've signed on to help a department move buildings and upgrade their dated infrastructure. This department has about 40 employees, 25 desktops, an old Novell server, and a handful of laboratory processing machines with attached systems. At the old location, this department had two networks - a LAN with no outside access whatsoever on an entirely separate switch, and a few machines with outside access.

We are trying to modernize this setup a bit as pretty much every user needs to access email and the time tracking system.

The parent organization (~10k employees) has a large IT department that is in charge of the connection and phone system at the new offsite location. The IT dept. had uverse dropped in and setup a VPN to their central network. Each desktop needs to be registered in the IT dept's system/website to get a (static) IP Address. Each IP Address given is outside accessible on any port that has a service listening on the client machine.

The server has confidential (HIPPA) data on it, the desktops have mapped network drives to access (some) of this data. There is also a client/server LIS in place.

My question is this: Is it worth making a stink that all of these machines are outside accessible?

Should we:

  • Request NAT to abstract the outside from the inside, as well as a firewall that blocks all traffic not explicitly defined as allowed? If so, what argument's can I make for NAT/firewall that outweigh the benefits of them having each machine registered in their system? I would be relaying all IT related requests from the end users to the IT department in either case - so it doesn't seem very necessary to have them tied down to specific addresses in their system. Most importantly, it sounds like a nightmare to manage separate firewalls on every desktop (varying platforms/generations) and on the server.
  • Request the IT dept. block all incoming traffic to each wan accessible IP on whatever existing firewalls they have in place
  • Keep the departments LAN completely isolated from the internet. Users must share dedicated machines for accessing email, internet, and time tracking system.

Thanks in advance for any comments or advice on this.

iainlbc
  • 363
  • 1
  • 3
  • 6
  • This is a good question that people usually get confused on. I personally like NAT just for organizational purposes, not so much security. If you look at IPv6, there really is no NAT. You just need to set the default to deny on the firewall and go from there. – Matt Nov 09 '11 at 08:37
  • 1
    It is unlikely they have set it up the way you think they have. You probably have just been hung off their main network and all your internet now goes via them via the new vpn. Although the PCs are accessible by them via the VPN from their internal addresses, actual outside access from the internet isn't possible. The firewall sits in the head office. –  Aug 05 '14 at 23:57
  • If HIPPA compliance is anything like PCI, I would guess there is piece in there about segregation of networks allowing you to separate HIPPA compliant networks, vs a standard network. – Shane Andrie Sep 17 '15 at 15:14

9 Answers9

56

NAT and firewalling are completely orthogonal concepts that have nothing to do with each other. Because some NAT implementations accidentally provide some firewalling, there is a persistent myth that NAT provides security. It provides no security whatsoever. None. Zero.

For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client. The net effect would be precisely the same as if the client had the outside address of the NAT device.

Don't think that because most NAT devices have some firewalling built in by design or do some by accident that this means NAT itself provides any security. It is the firewalling that provides the security, not the NAT. The purpose of NAT is to make things work.

You must not assume a machine is not outside accessible just because it's behind a NAT device. It's not outside accessible if some device is specifically configured not to permit it to be accessed from the outside, whether that device does NAT or not.

Every machine having an outside address but with a stateful firewall that's properly configured, managed, and monitored is vastly superior to a cheap SoHo NAT box.

Many actual SoHo NAT boxes forward traffic to inside hosts despite no inside host having ever sent traffic to the source of the forwarded traffic. Permissive NAT does really exist.

David Schwartz
  • 4,203
  • 24
  • 21
  • Nice answer. Any perceived security provided by NAT is a purely unintended side effect of RFC1918. NAT isn't a security mechanism, it's a translation mechanism. It may astract or obscure the systems behind it but it doesn't provide security for those systems. – joeqwerty Nov 09 '11 at 03:50
  • I understand there is a difference between NATing and firewalls. I'm not sure where my question you got the impression of otherwise. "Request NAT to abstract the outside from the inside, as well as a firewall that blocks all traffic not explicitly defined as allowed?" Does this not imply I understand this? NAT by nature of abstracting internal addresses from outside accessible addresses does provide security in my point of view. How can someone for example brute force a SQL Server sa account on a host they cannot access, because the address is not publicly accessible/routable? – iainlbc Nov 09 '11 at 03:51
  • @iainlbc I went into some detail about NAT, network isolation, and security posture here: http://serverfault.com/questions/184524/switch-to-ipv6-and-get-rid-of-nat-are-you-kidding/184535#184535 – sysadmin1138 Nov 09 '11 at 03:54
  • 3
    @DavidSchwarts "You must not assume a machine is not outside accessible just becausse it's behind a NAT device." yet sysadmin1148 says in his linked answer "The one big security gain you get with NAT is that it forces you into a default-deny configuration. In order to get any service through it, you have to explicitly punch holes." So is it safe to assume, unless I punch a hole in the default NAT configuration enabling the exact thing I want to prevent, NAT does provide some measure of security? – iainlbc Nov 09 '11 at 04:03
  • 7
    @iainlbc: If by "NAT" you mean "NAT itself", then *no*. NAT provides no security at all. Again, read the second paragraph of my answer. If by "NAT" you mean a box that provides NAT and also some firewalling, then *yes*. Firewalls provide security. The bit about "default deny" is technically true, but meaningless. *Everything* provides default deny in this silly, vacuous sense since it is shipped to you unplugged. – David Schwartz Nov 09 '11 at 04:16
  • 1
    I think we are getting closer to me understanding this. Forgive my stubbornness.. Let's say I have a single server running SQL on 1433. I hook it up directly to a router with a public IPV4 address. You can hit it from anywhere and attempt the password. Now I place this server behind the simplest NAT device ever created and give it an address of 192.168.10.1. I do not do a single thing in terms of preventing or permitting traffic on 1433 on a firewall or on the nat device. How will you access my machine, once behind nat, on port 1433, to attempt the password, having only the routers address? – iainlbc Nov 09 '11 at 04:26
  • 5
    @iainlbc: I'll hit port 1433 on the NAT box's public IP address, and it will forward it to the SQL server (since the SQL server is its only client, it knows that must be the intended recipient). If not, it's because it's also a firewall, in which case it will filter/drop it. But that's not because of NAT, that's because of its firewall that rejects inbound packets that don't match an existing reflexive rule even though it could NAT them. In other words, because it's *also* a firewall, it provides some security. A plain firewall that dropped the traffic would provide the same security - right? – David Schwartz Nov 09 '11 at 05:11
  • 3
    The purpose of NAT is to make machines "just work" even if there are insufficient public IP addresses for them. As an accident of the way NAT is typically implemented, NAT boxes tend to also implement some firewalling. But a firewall would do the same thing and provide the same benefits. The NAT is superfluous to the security. If you disabled the NAT but kept the reflexive, stateful firewall, you'd get the same security. And a NAT box without a reflextive, stateful firewall would provide no security at all. (And there are definitely some 'permissive' NAT devices that provide *very* little!) – David Schwartz Nov 09 '11 at 05:14
  • 1
    I think i need a good book recommendation on networks/security. I also think perhaps im using nat to refer to some other technology or am missing an extremely fundamental concept here. So a router and firewall are all that is necessary to create a private network of say 192.168.10.1 - 192.168.10.250, which can access and communicate with outside networks, with a single outside interface of say 10.1.1.1? – iainlbc Nov 09 '11 at 05:27
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/1749/discussion-between-david-schwartz-and-iainlbc) – David Schwartz Nov 09 '11 at 05:28
  • If you keep sockets for public access closed, i.e. for your sql server, you are safe with NAT. But that would be the case even if the sql server has a public ip. NAT is, as told, a mechsnism. Your fw settings is your security. Though, most NAT FW give you a default-deny plug n run behavior. I think IPv6 will give us more of that default nature for public addressing. – Independent Nov 09 '11 at 07:23
  • "accidentally provide some firewalling" - disagree. While static mappings provide little protection, masquerading is explicitly intended to address both problems of reducing the address space footprint but intrinsically acts as a stateful firewall. Agreed that its not a substitute for a firewall though. – symcbean Nov 09 '11 at 11:14
  • 1
    @symcbean: It does not intrinsically act as a stateful firewall unless designed/configured to. In which case, it's that design/configuration that's the firewall, not the NAT part. Read my second paragraph. I've seen masquerading NAT boxes that will forward traffic that is not a reply. (See my second and last paragraphs.) – David Schwartz Nov 09 '11 at 11:23
  • @David Schwartz: "masquerading NAT boxes that will forward traffic that is not a reply" - IMHO that's an oxymoron - by definition the device is not masquerading. How does it know which internal box to send the traffic to? – symcbean Nov 09 '11 at 17:33
  • 1
    @symcbean: There are many ways it can know. For example, it may have only one client. It may forward it to the internal node that sent the "most similar" traffic even though the packet is not a reply. – David Schwartz Nov 09 '11 at 17:49
  • @David Schwartz: citation please? – symcbean Nov 09 '11 at 18:00
  • 1
    @symcbean: What precisely do you want a citation for? Do you believe those things are impossible? Do you believe they somehow make the device stop masquerading? (If you don't believe any device actually does that, check the documentation of almost every SoHo router. For example, the NetGear WGR614.) Permissive NAT is real, and it's popular. It makes a lot of things "just work', which is the point of NAT. – David Schwartz Nov 09 '11 at 18:10
  • @David Schwartz: The scenarios you are describe, to my understanding, are where the router ceases to perform masquerading. I'm always willing to learn, but where I'm given information which explicitly contradicts what I know already I want the opportunity to verify it. – symcbean Nov 10 '11 at 10:04
  • 2
    @symcbean: That's like arguing that a router is secure unless you plug it in. It's pure sophistry. The point is, you can have NAT (private IP addresses, Internet access) but basically no security whatsoever (if, for example, the NAT is permissive). – David Schwartz Nov 10 '11 at 15:33
  • @David Schwartz: How? Still wanting to see more than your opinion. – symcbean Nov 14 '11 at 09:16
  • 1
    @symcbean Nothing I have said is an opinion. It is a very simple fact that you can have NAT but basically no security whatsoever. Read the second paragraph of my answer a few times until you get it. – David Schwartz Nov 14 '11 at 09:24
  • @David Schwartz: as above, I'm willing to learn - but I can find no evidence to support your position - but lots from reliable sources stating the opposite - see answer elsewhere. – symcbean Nov 15 '11 at 10:13
  • 1
    @symcbean I don't know how to respond to that. My second paragraph is a simple, indisputable fact. You can accept it or stick your fingers in your ears and announce that you aren't listening. – David Schwartz Nov 15 '11 at 16:45
  • @DavidSchwartz Suppose you have a NAT Router doing NAPT, with No Port Forwarding. The NAT Router is blocking all incoming connections.. The NAT Router's interface has no firewall options there there's nothing about a firewall in the spec. Q1)Would you say that it's not the NAT or NAPT that is blocking it, it's a Firewall in the device that is blocking it? Q2)Would you say it was accidental security? Q3)Would you say it's not secure? Why? – barlop Dec 11 '14 at 15:48
  • Q1) Probably. It would depend on precisely how the device handled the unmatched traffic. Q2) It would depend on whether this behavior was explicitly specified by the manufacturer or the documentation. If not specified, yes. If specified and guaranteed, no. Q3) If you're relying only on the device to meet its documented specifications, then that's fine. If you're relying on the device to continue to behave as you've observed it to behave, then that's not secure. Security comes from guarantees, not relying on undocumented/observed behavior. – David Schwartz Dec 11 '14 at 20:01
  • "NAT provides no security whatsoever" I strongly disagree there. We purposely did double-NAT where I worked, because it was pretty darn close to impossible to penetrate further than the first NAT from the outside (as Sans Institute also states). In addition, serious internet connections have at least one DMZ-device configured (in the outer NAT), making port-scans null and void in value, since nobody would put anything other than devices with their own protection/firewall in a DMZ. Double-NAT is more efficient, resource footprint close to zero compared to firewalls, stateful inspections, etc. – Julius Dec 25 '18 at 00:16
  • @Julius As I explained in my answer, double NAT does not provide any security whatsoever. Read the second paragraph. – David Schwartz Dec 25 '18 at 01:25
  • @DavidSchwartz It fails as an 'explanation', arguing against it is not good general security advice. Even cheap NAT routers make valuable network security devices and offer much more flexibility than just being used to interface a local network to the Internet. They can be used as "one-way security valves" to create layers of protected sub-networks. In my 20+ years of administering heaps of multi-NAT networks for small businesses and private home users, I have seen no intrusion to count thus far. None of the (lazy) scanning/worms and other annoying and malicious Internet nonsense got through. – Julius Jan 07 '19 at 11:15
  • 1
    @Julius If one of those NAT devices actually blocked you from an attack even though you didn't configure its firewall to do so, it's because its NAT just happened not to be permissive enough to pass it by accident or luck. What happens if the next version of the firmware makes the NAT more permissive? – David Schwartz Jan 07 '19 at 15:00
  • “Permissive NAT does really exist.” I understand if this is a one-to-one NAT (like mapping a `/24` network to another `/24` network), but does permissive one-to-many NAT exist? – Franklin Yu May 08 '19 at 13:43
  • Please disregard the comment above. There is a thing called [DMZ host](https://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host). – Franklin Yu May 08 '19 at 13:55
  • @FranklinYu Yes. There are SOHO routers that will route all incoming traffic to one of their clients using a "best match" algorithm. – David Schwartz May 10 '19 at 17:15
  • @DavidSchwartz That is even more evil, but is there any example for such a router? I can only find example for a fixed default forwarding target (as I mentioned above). I don’t know what keyword to search; I tried “soho router port forwarding smart”. – Franklin Yu May 10 '19 at 21:03
  • @FranklinYu Why is that evil? That makes lots of things "just work" that otherwise wouldn't work. The point of permissive NAT is to make itself as invisible as possible. The only sense in which it's evil is that the very same thing may work under some circumstances and not work under others. If you want firewall capabilities, configure them like you're supposed to. – David Schwartz May 11 '19 at 00:16
14

Having just spent 7 years at a University with a /16 netblock and put everything on that netblock that wasn't specifically prohibited to be on such (PCI-DSS used to require this, until they fixed it), I have some experience with networks of this nature.

NAT is not required. All NAT does is make it a bit harder to reconnoiter a network, and forces an entity into a more-secure-by-default posture. That said, it is perfectly possible to build a secure network on public IP addresses. There were a couple of subnets that we had that were technically routeable, but nothing outside the perimeter firewall could get there.

Now for your other points:

Request the IT dept. block all incoming traffic to each wan accessible IP on whatever existing firewalls they have in place

This should be done by default. In my old University, the Student Computer Lab stations had no need to be addressable from the Internet and they weren't. The same went for the subnets that held the Student Health Center data. If a machine needed to be externally visible for some reason, there was an electronic document that had to be passed around and signed before it could be granted; even for servers in the centralized IT stack.

Keep the departments LAN completely isolated from the internet. Users must share dedicated machines for accessing email, internet, and time tracking system.

You don't have to go this far. The reason to go this far is if your fear of malware-related information-exposure is higher than the need for connectivity to network-based resources. Things are increasingly cloud/network based these days, so such air-gapped networks are getting harder and harder to maintain. If you truly do need to go to this extent, you may want to look into some of the Application Virtualization options out there, as that can limit the exposure of breaches should they occur.

sysadmin1138
  • 2,033
  • 13
  • 16
  • 2
    Exactly. I manage a network that uses publicly routable addresses and it's no less secure because of the lack of NAT. It's the firewall that provides the security, not the NAT. – joeqwerty Nov 09 '11 at 04:01
  • Thanks to both of you, reading through all of this now. Extremely glad I asked the experts instead of exposing to the IT dept how ill informed I am on the topic... – iainlbc Nov 09 '11 at 04:04
  • The org. is allowing traffic on all ports to these addresses based on my rudimentary testing (RDP, SSH, FTP, SQL, 80) , and has been the culture for some time now. I much prefer explicitly filling out firewall request forms. In fact if this was in place I probably wouldn't even have considered NAT or posting this, It just feels like the configuration is lacking something. It's clear now that its firewall rules - not NAT. – iainlbc Nov 09 '11 at 04:11
  • "Having just spent 7 years at a University with a /16 netblock and put everything on that netblock that wasn't specifically prohibited to be on such (PCI-DSS used to require this, until they fixed it), I have some experience with networks of this nature.", I'm so, so sorry. – StrangeWill Dec 14 '11 at 19:14
  • Working with a /16 block in a uni does not warrant any validity of general security advice against NAT. I really fail to see how obscuring a LAN (even more than once in series) could ever be *discounted* as an extra layer of security. Seriously, where have you all been the past few decades? Let's see what even Steve Gibson says, shall we? https://www.grc.com/nat/nats.htm – Julius Jan 07 '19 at 11:34
12

As others have pointed out, NAT is not a security feature. However, it does offer some level of security as a byproduct: a side-effect of NAT is that none of the inner machine is accessible "from the outside". The same effect can be achieved by a firewall which blocks all incoming connections. This is not fine-grained, but rather effective in practice, and if NAT did not come with that "automatic" protection, a lot more existing networks would be attacked and zombified into spam relays (that's the scary point about IPv6, by the way: IPv6, when [if] widely deployed, will have a tendency of nullifying the protection effect of NAT, and one can expect an average increase of attack success).

Now having a well-configured firewall assumes that whoever configures the firewall does his job correctly, and, unfortunately, that's not a given (I do not want to presume on the abilities of your specific IT department, but the average quality of the work of IT departments around the World, especially in large organization, is less than thrilling). The alternative being to ensure that every single machine which is publicly accessible should resist all kinds of attacks related to incoming connections: close all unneeded services, make sure that the services which remain open are properly up-to-date and well configured. Fancy applying security updates on every single workstation ? And on the firmware of network-able printers ?

My advice would be to install your own filter box, through which all communications between your network and the outside world will go. That box should then filter out incoming connections; NAT and/or firewall, that's your call. NAT may be easier, especially if the IT department is "uncooperative".

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
8

Regarding masquerading (as opposed to static NAT):

Cisco

Sans

IBM

No, it's not a subsitute for a firewall, nor for other parts of your security solution. It does enhance the integrity of your systems.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
symcbean
  • 18,278
  • 39
  • 73
7

NAT is not important as a security layer and shouldn't be thought of as providing any security (even when it inadvertently makes it more secure).

I don't know HIPPA compliance, but PCI compliance requires very specific setups for computers having access to credit card information. You should design around first meeting the HIPPA requirements and then design additional security measures. The joke of PCI compliance being that compliance reduces the risk of fines, but not necessarily reducing the risk of security exploits.

HIPPA rules might inform you of how you have to treat the computers that have access to HIPPA data.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
4

Even though I know a bit about NATs and port forwardings I disagree most of what David Schwartz wrote. It might be because he was a bit unpolite Read the second paragraph of my answer.

NAT is not the answer to everything. It just makes it difficult for external parties to connect to your services. Most NAT implementations do conversion port-by-port basis and if the host in incoming packet is not recognized there will be no NAT rules to follow, therefore denied connection. This still leaves some holes with the server client just connected to connecting back.

More important is to secure yourself from inside connections as well as outside connections. NAT provides false security in this way. You only need one bug from an USB stick and there could be connection forwarding letting everyone in.

Regardless of your IP space you should limit connections to those allowed. Workstations usually should be not allowed to connect to SQL service. I personally do not like stateful firewalls but each to his own. I'm more the router type kind of guy drop all packets.

Antti Rytsölä
  • 149
  • 3
  • Of course it isn't an answer to everything - especially not security, as it's not a security layer (and if so, it's somewhat accidental). I agree with you that a good firewall with proper rules is necessary, NAT or no NAT. (I don't think you're actually in disagreement with that other answer :)) – Piskvor left the building Nov 09 '11 at 14:20
  • Interesting that there is so little discussion here on a) the risk from a compromised "peer", and b) the Akamai style services available to make unreachable machines reachable. Google "Raspberry Pi Access over Internet" for a few. If I can RDP to a peer I can execute attack attempts on the subnet. – mckenzm Nov 19 '19 at 03:35
1

NAT is a Firewall. And It's not an opinion. It's a fact. Looking into the definition of Firewall:

A firewall is "a system or combination of systems that enforces a boundary between two or more networks."

National Computer Security Association's standard Firewall Functional Summary template

A NAT creates exactly that sort of boundary.

What other firewalls maybe provide is the ability to block outbound connections, not just incoming connections. Nice feature, but not the main one.

Talking about features, a DMZ is a hole between networks. Normally it provides a way to expose an internal service to the Internet. While not technically part of the NAT definition, it's a feature of all modern NATs

NAT is firewall and in some situations, the best one. Stateful inspection firewalls, which don't do NAT, do mostly "fail-open". I worked for a "Next generation firewall" company as developer. To do the protocol/application detection inline, some packets had to pass through until it get detected. There were no way to buffer it, without introduce delay. Almost all DPI solutions work like that.

NAT, on the other hand, fails closed. Common mistakes shutdown access to the Internet rather than open up access from the Internet.

VP.
  • 1,043
  • 1
  • 11
  • 12
  • 1
    "_A firewall is "a system or combination of systems that enforces a boundary between two or more networks."_" By that definition, a standard eBGP router with no security is a firewall because it separates two ASes. – Ron Maupin Mar 28 '17 at 18:25
  • 1
    Kind of useless comment @RonMaupin. So "By definition" to cut the cable enforces a boundary between two or more networks.. – VP. Mar 28 '17 at 20:36
1

Every response on this thread regarding NAT neglects an important aspect of NAT. The implementation of NAT creates an internal, private, non-routable address range. The term "non-routable" is significant. Hackers love to exfiltrate an organization's network data streams, and operating with your local internal network traffic on a public address range means the whole notion of defense-in-depth is significantly diminished. Why would anyone want to create conditions that allow your local traffic to be routable to the global Internet? To make things as easy, a malicious attacker could hack the device and add routes - but why would you give such an individual one less hurdle to backhaul your internal network data streams?

Put another way, should litigation arise from a HIPAA breach, what lunatic could take any courtroom stand and swear under oath that giving a hacker a direct flight to your sensitive information was a sensible decision? Would home wireless router manufacturers discontinue NAT as a customary default because their legal tells them, "Sure - Roll the dice... We should burn down our legal budget for the decade defending a case where we put personal residential systems in countless households in a state that (basically) leaves their collective pants were down around their ankles!"

I suspect there are too many who simply care to excuse implementation because they cannot or will not take the time to configure proper static or dynamic NAT or PAT as a best practice. PLEASE avoid needless ridicule and jail time by ignoring federal standards. If you accept any federal medical insurance, the NIST minimums are required. Debate elegant exceptions for a given tech outlier all you want, but let's not give anyone the impression it is a good idea to make an environment more vulnerable. Hypotheticals aside, doing the right things does take more time and effort... but there are cases where the right thing is the best choice.

STX Topper MCSE CEH
  • 11
  • 3
0

With regard to your question "should I make a stink?" I would suggest that a risk assessment (issue, probability, impact, mitigation) be documented and presented to stakeholders. If you make a lone decision without communicating it and there is a significant breach, it could bode poorly for you.

gatorback
  • 1,541
  • 2
  • 12
  • 17