top of page

Comprehensive Guide to NAT and NAT Security

Introduction

In the beginning the internet was much smaller than it is today, as a result there was a limited number of available addresses which could be assigned to devices. The numbers used to define the "addresses" of devices was known as a IPv4 or Internet Protocol Version 4 the total number of possible IP addresses at the time were not a concern as we hadn't reached the limit. Which was about 2^32 - 2 or 4,294,967,294 possible devices on the internet. IP addresses themselves are not unlike mailing addresses as they identify either a house or a post box but what is important is information exchange requires a source address and a destination address. So contextually why is this important? Sometime around 1992 the IETF (International Engineering Telecommunications Task Force responsible for defining the IP addressing scheme become aware that 4 or so billion addresses was not going to sate the requirements for both future companies and home uses, as such NAT was born. NAT created two separate designations for networks as the private IP space and the public. Private IP - Is used to contain local networks specifically both organizational and home based, by providing three blocks for addressing private addresses. The most common addressing IPv4 private space customers will see is 192.168.0.0/24


  • Class A 10.0.0.0/8

  • Class B 172.16.0.0/16

  • Class C 192.168.0.0/24


Public IP - Is a type of address that is fully internet routable, where private IP addresses are meant to be used locally and are typically not internet routable public IPs can be routed, as so are used for the wider internet by doing this the private and public IP separation it increases the number of available IP addresses. Now there is several implementations of NAT including NAT technology applied by an ISP to save IPs in the same manner as they would if you were using a home network. CGNAT or carrier grade nat is deployed within an ISPs network to allow them to provide more IP addresses than they would usually have access to, which often saves money as they ISP no longer needs to buy more addresses, they can use CGNAT isolation for parts of the network to allow individual groups of class A,B or C assignments. CGNAT however can cause connectivity issues just like any type of NAT system in this case it is a Double NAT.


In conjunction with NAT was the introduction of IPv6 that addressed many of the short comings of IPv4 but while IPV6 was the new kid on the block the IETF still had the Ipv4 address space being consumed rapidly, how IPv6 for context was used to fix the problem where IPv4 could handle 4 billion or so addresses, IPv6 could reliably handle much more as much as 340 undecillion addresses more addresses than will ever be needed. Based on the earths current population 7.8 Billion people that is just 0.96*10^-38 percentage of the planet if every single person had a house.


Network Address Translation methods

NAT itself can have a number of translation techniques but they are often defined by their multiplicity or how many devices they connect to and translate. Some of these techniques are not commonly used anymore but some as still used. In the NAT world we are often concerned with a concept called the inside-address and the outside address. Typically an inside map goes to an outside map. Other names that might be used especially in the Linux circle would be masquarading the reason for that name is because the "private" IP's masquarde as public IPs.


  • Static NAT - Also known as 1 to 1 mapping that is a single IP address lets say 192.168.0.5/24 -> 10.0.0.1/8 this means that if a service is running on a specific port and a specific IP is associated then it maps that single service to one device for translation there is no other devices available to handle that request


  • Dynamic NAT - Is known as many to many, in this configuration you have a "pool" of addresses that map to the internal IP address space. Lets say we have the following pool our pool has 192.168.0.5,192.168.0.6,192.168.0.7 this is our pool then we have the outside addresses as 10.0.0.1,10.0.0.2,10.0.0.3. So to more clearly show this. 192.168.0.5 -> 10.0.0.1 (Website) 192.168.0.6 -> 10.0.0.2 (Database) 192.168.0.7 -> 10.0.0.3 (File server)

    These configurations are mapping multiple internal ip addresses to a pool. of potential addresses.


  • Port Address Translation PAT - Is an advancement over the previous and the most common, the way PAT works is a dynamically calculated random port is used on the inside of the network, and a single or multiple IP addresses can be used on the outside of the network, this translation allows multiplexing multiple different services and connections and is the most common implementation of NAT that is found in both home based systems, business and enterprise systems as it provides the maximum amount of flexibility. PAT also has another feature called port forwarding technically this is a more more akin to dynamic NAT except you can explicitly define a port to go to a specific device in this case it also allows external connections to query the PAT address and then translate that in the reverse path back to a host. So it maps a 1 to 1 like static NAT.



Reverse Connectivity

Can be important in many cases and most applications can achieve reverse connectivity via various techniques, there is commonly three types of methods. All three of these methods have various security and associated risk considerations if they are used and put devices at risk of compromise if they are not managed correctly. I list these in order of most dangerous to least.


  • DMZ (Demilitarization Zone) - Is a type of network seggreation system, that also directly exposes a device to the raw internet once a device is inside a DMZ all ports, services and applications are freely queriable, and accessible, this is why DMZ zones often have layers one layer between the interior network and another on the "public facing edge" putting a unhardened unsecured device such as a laptop acting as a VPN router is a recipe for disaster do not use DMZ's in consumer home networks unless you have the appropriate hardening layers, firewalls, IPS/ IDS, secure login, management and many others, it will end badly for you.


  • Port Forwarding (Static PAT) - Allows you to expose a device based on the kinds of ports that are forwarded to it, when a port requests service access to a specific port mapping back to an internal host the port forwarding rule will lookup the portforwarding rule to determine if it matches the respective port or service if it does the traffic is forwarded from the public IP to the internal private IP and only this device will receive this request IF it's the only device in the chain, if it's not and say port 443 HTTPS is exposed and along that chain somewhere is a switch with a login page, pivoting to devices on that segment is a very real risk, but even more of a risk for a DMZ.


  • Universe Plug and Play - Most consumer routers use this technique is called port knocking or port querying. When a connection is requested, request a device "knocks a port" like saying is someone home, once a device completes the knock the port them opens temporarily, game consoles and other devices perform this task, to allow for seamless connectivity to devices, without needing port forwarding but UpNp can also itself be exploited. Upnp has no access controls, authentication controls or other measures, so it can be exploited to access a network, when it comes to edge devices Upnp should not be active and using port forwarding is more desirable choice, for specific device connectivity although that is more much complicated. Where as for example knocking on a door with a secret knock which is a concept called "something" you know Upnp is not does not have the functionality necessary to perform AAA checks (Authentication, Authorization or Auditing)




Recent Posts

See All
bottom of page