NAT Router Security Solutions
Taken from: http://www.grc.com/nat/nat.htm
NAT Router Security Solutions
Tips & Tricks You Haven't Seen Before
| What does a NAT router do? A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The "Network Address Translation" (NAT) performed by the router allows multiple computers (machines) connected to the LAN behind the router to communicate with the external Internet. The most common use for NAT routers is serving as an "interface" between the global public WAN Internet and a private non-public LAN: |
One of the key benefits of NAT routers (and the main reason for their purchase by residential and small office users) is that the router appears to the Internet as a single machine with a single IP address. This effectively masks the fact that many computers on the LAN side of the router may be simultaneously sharing that single IP. This is good for the Internet since it helps to conserve the Net's limited IP space.
A few important bits of terminology we are about to need:
A NAT Router's Inherent Security Although NAT routers are not generally purchased for their security benefits, all NAT routers inherently function as very effective hardware firewalls (with a few caveats examined below). As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network. The reason they do this is very simple: With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets. How is this done? Since the NAT router links the internal private network to the Internet, it sees everything sent out to the Internet by the computers on the LAN. It memorizes each outgoing packet's destination IP and port number in an internal "connections" table and assigns the packet its own IP and one of its own ports for accepting the return traffic. Finally, it records this information, along with the IP address of the internal machine on the LAN that sent the outgoing packet, in a "current connections" table. When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN. And here's the really good part: If the arriving packet does not exactly match traffic that is currently expected by the router, the router figures that it's just unwanted "Internet noise" and discards the unsolicited packet of data. With a NAT router protecting your connection to the Internet — even if you only have one computer on the LAN behind the router — none of the Internet scanning and worms and hackers and other annoying and malicious Internet nonsense can get to your computer or computers. If the NAT router isn't already expecting the incoming data, because one of the machines on the LAN asked for it from the Internet, the router silently discards it and your private network is never bothered. So now that we have the basics . . .   Let's get a bit more advanced Since NAT routers allow data to pass readily from the internal secure LAN out to the external insecure Internet WAN, but will automatically BLOCK unsolicited inbound data from the WAN, a NAT router can be thought of as a sort of one-way valve: |
useful to think of a NAT router as a one-way valve.
Packets of data can freely flow from the secure LAN out to the insecure
WAN, but "unsolicited" traffic attempting to flow in from the insecure
WAN to the secure LAN is automatically blocked from entering.
Also, a multi-port NAT router is two components in one box:
| As you can see from the block diagram above, internally a NAT router is a standard network switch interconnecting the machines plugged into the router to the router's network address translation WAN interface. What's significant for our discussion is that all of the internal machines are interconnected on the same LAN. This is convenient for sharing files and data among the machines, but it creates a security problem if all of the machines are not equally secure and trustworthy. If any malware or Trojan software were to somehow get onto any one of the machines, and that machine is on the LAN with all of the others (as it normally is), the malicious software would have access to every other uninfected machine sharing the once-secure LAN. By sending "ARP broadcasts" to the LAN, an infected machine can determine the IP and "MAC" addresses of every other machine on the LAN . . . and go to work on them. Malicious hackers know all about this LAN-side vulnerability. This is why many recent viruses and worms attempt to spread not only by scanning the Internet for additional vulnerable targets, but they also attempt to spread locally through Windows file sharing, RPC vulnerabilities, and many other well-known Windows insecurities. Once one machine gets hit, every machine on the LAN can fall victim. What can be done to improve LAN security with multiple machines? Here's where thinking about NAT routers as one-way valves comes in. A second NAT router can be used on the internal LAN to create a second, even MORE SECURE LAN: |
Yes, this works! NAT routers can be cascaded "IN SERIES" and used as one-way security flow valves. Looking at the diagram above:  Machines on the "Semi-Secure" (middle) LAN can access the Internet, but they are protected by the "External NAT" from most Internet badness. Machines on the "Super-Secure" internal LAN can also access the Internet, first by going out through the "Internal NAT" and then the "External NAT". As with machines on the Semi-Secure LAN, the "External NAT" will keep unsolicited traffic from entering the network. Because the Semi-Secure LAN is on the OUTSIDE (WAN side) of the Internal NAT, the machines on the Semi-Secure LAN are unable to freely access the machines behind the Internal NAT. The machines behind the Internal NAT can access the machines in the middle, but NOT the other way around! Where would TWO NAT routers be useful? Completely isolating a router's DMZ network and servers. Isolating an open or low-security wireless access point. Protecting one "high-value" machine from the rest of the network.
Completely isolating a router's DMZ network and servers: Our previous discussion of NAT routers stated that incoming packets which have not been explicitly solicited by machines on the router's LAN side are discarded. The router's default "discard all unsolicited packets" configuration can be altered for more advanced applications: Port Forwarding can be enabled to configure routers to forward unsolicited packets arriving at specified router ports to specified machines within the router's LAN network. This can be useful when using some instant messaging, VoIP, or peer-to-peer systems that are otherwise unable to penetrate the firewall that NAT routers inherently create. A Routing DMZ machine can also be specified, separately or additionally, to receive any and all unsolicited traffic that is not otherwise being returned to other machines on the router's LAN network. This puts the specified machine "out on the front line" of the Internet to receive anything that might be aimed at the router's public IP. ("DMZ" stands for "De-Militarized Zone") |
| As you might imagine, a router's "DMZ" machine, and even a "port forwarded" machine needs to have substantial security or it will be crawling with Internet fungus in no time. That's a BIG problem from a security standpoint. Why? |
| As the NAT router block diagram above shows, a NAT router has a standard Ethernet switch interconnecting ALL of its LAN-side ports. There's nothing "separate" about the port hosting the special "DMZ" machine. It's on the internal LAN! This means that anything that might crawl into it through a forwarded router port, or due to its being the DMZ host, has access to every other machine on the internal private LAN. (That's really bad.) What can be done to create a super-secure internal LAN, while still allowing the flexibility of having one or more security-challenged DMZ or port-forwarded machines? Just use a secondary NAT router: |
| Remember that NAT routers are like one-way flow valves for data: |
| Data can flow freely OUT through the router from the LAN to the WAN, but unsolicited data is blocked from flowing back IN from the WAN to the LAN. Since there is nothing to prevent TWO NAT routers from being "chained" and connected in series, the security-challenged machine can be completely isolated from the internal network by sandwiching it in between the two chained routers. It's behind the external router and in front of the internal router. Since it's in front of the internal router, its traffic can not flow into the internal LAN, but it can still reach the Internet (through the external router) . . . and the users on the internal LAN can reach it since it's outside the internal LAN. Now let's look at the second typical application: Isolating an open or low-security wireless access point: Suppose you have a first-generation wireless Wi-Fi NAT router access point running either fully-open (you never bothered to setup any security at all) or with crackable WEP encryption (because your hardware cannot be upgraded to the later generation of really good WPA encryption). |
| Since the wireless access point radio is simply on the external router's LAN switch, ANYONE who has, or gains, access to your wireless network is also on the rest of your LAN and can directly access any of your other machines. You can leave your old and not-so-secure WEP Wi-Fi access point right where it is by adding a second NAT router to protect your LAN from any dangers created by the wireless router: |
| Our final application example: Protecting one "high-value" machine from the rest of the network: Suppose that rather than protecting all of your network from one "external danger" — like a machine on a DMZ or a Wi-Fi access point — you want to protect one "high-value" machine from potential insecurity within the rest of your own network. For example, suppose that each of your teenage kids has their own computer connected to your shared "family" LAN created by a single NAT router. Or you might be the boss in a small office, where everyone in the office is sharing a single NAT router. In either case, you might not like the idea, for whatever reason, of having your (dad or boss) computer on the same LAN network as everyone else. If your kids or employees were to get themselves infected, download or bring something really nasty home from school, it could quickly spread to all "peer" machines connected to the same LAN network. So in this case the main LAN, as opposed to a single high-risk machine, is the "scary zone" and you want to protect your single "high-value" machine from anything that might be going on out on that network. So this time you give your single machine its own "one-way security valve" NAT router. The router participates on the LAN with the other high-risk "scary" computers while preventing anything out there from crawling into your machine: |
As we have seen, NAT routers make valuable network security devices and offer much more flexibility than just being used to interface a local network to the Internet. They can also be used as "one-way security valves" to create layers of protected sub-networks.