Transcript An Analysis on NAT Security

An Analysis on NAT Security
Trojans - II
Balachandar Sankar
Pragadesh Rajasekaran
Agenda



Quick Glance on NAT
Problems with NAT
NAT Security
–
–


IPSec
Windows 2003 Server
Issues with NAT
Conclusion
Quick Glance on NAT





NAT - Network Address
Translation
Enabling a Local Area Network
to use one set of IP
addresses for internal traffic.
Provides a single public
address for a set of internal
addresses.
Solution for deficit IPv4
addresses.
Provides firewall for internal
network.
http://www.sbbi.net/site/jafs/docs/upnp-nat.html
Problems with NAT


IPSec is used to secure integrity of message
and authentication.
NAT doesn’t support the actual functionality
of IPsec.
–
–

IKE embeds the source IP address.
ESP encrypts header – TCP checksum & ports
Problem using Windows Server 2003 VPN
servers behind a NAT device
NAT security – solving IPSec

NAT-T
–
–
–

Adds UDP header encapsulating ESP header
Adds original sender IP address to NAT-OA (NAT
Original Header) payload
Prevent problems related to ports, source IP
address and TCP checksum.
IPSec in Tunnel Mode
NAT Security – Windows XP SP2
By default, the IPSec NAT-T security
association is disabled.
Consider the following situation
1. The Server-1 resides behind a NAT and the
NAT is configured to allow IPSEc NAT-T
traffic.
2. The Client-1, which is outside the NAT,
uses IPSec NAT-T security association to
connect with the Server-1.

NAT Security – Windows XP SP2
(contd…)
3.
4.
Another client (say Client-2), which is inside
a NAT, establishes connection with the
Client-1 through IPSec NAT-T security
association.
A condition may occur where the Client -1
may reestablish connection with the Client2. This condition may cause the NAT-T
traffic intended for client-2 to be redirected
to Server-1.
NAT Security – windows 2003 server


NAT-T - IPSec cannot be used when Windows
Server 2003 VPN servers are used behind a NAT
device since IPSec usage is compromised and
chances for the packets routing to different machines
are possible within NAT.
Solutions:
–
–
VPN servers public IP addresses can be used so clients
can connect to them directly rather than through NAT.
Editing the windows registry to restore the ability to connect
to servers behind a NAT with IPSec/NAT-T.
Issues with NAT





Increasing the probability of mis-addressing.
NAT breaks certain applications making them more
difficult to run. (incorrect ports)
Servers can’t be run within a NAT network unless
configured.
Dynamic IP addressing by ADSL changes IP for
every 20 hours.
Since all users behind Nat uses the same public IP
address, information related to connectivity is lost
Conclusion



NAT security issues are still being solved.
Though some major issues are solved, still
the problem exists.
IPv6 will change the infrastructure of NAT.
Questions ??