 In this set of slides, we will talk about network address translators. We have seen that firewalls introduce a single checking point in a network where security policies can be enforced. This logically divides an address space in an internal trusted network and an external untrusted network. There is another method that makes use of the idea of internal and external network and it is typically implemented on the network access router, network address translators. Network address translator, or NAT, is a way to map an address from a certain subnetwork to another address. It was initially introduced for handling situations like customer changing their ISP without having to change their internal network configuration. Nowadays, it is typically used to map address in a private network to a single address on the open internet. For example, if your network is implementing NAT, all the hosts in your home network will be reachable from an open internet using a single IP address, namely the one that your ISP has assigned to your router. The main goal of NAT nowadays is solving or at least lowering the depletion of the public IPv4 address space. Therefore, it is important to understand that NAT is not a security mechanism per se. However, and this is the reason we treat NAT in this course, it indirectly provides a security layer by isolating the hosts in the internal network from the external network. We will see more in the security implication of NAT later in this lecture. A NAT works by accessing and manipulating both NAT work and transport level packet information. Therefore, source and destination IP addresses and ports. Let's see how this is done. Let's assume we have a private NAT work with a router implementing NAT. The addresses in the private NAT work are in the NAT block 10. The router is reachable to the internal NAT work with the IP address 10.0.0.1 and the open internet with the public address say x.y.z.w. The overall idea is that all datagrams leaving the private NAT work have the same source IP address, although they will have different source ports. To implement this translation, a NAT router needs to take care of three operations. First, to replace the source IP address and source port of each outgoing datagrams with its public IP address and a new source port. Second, to keep track of this association in an internal translation table. And third, to replace for each incoming datagram its public IP address and destination port with the IP address and port that has previously stored. Besides remapping IPs and ports, NATs also need to decide if an outgoing or incoming connection is allowed. Even though the overall mechanism of IP and port remapping remains the same, NAT implements several type of restrictions. We therefore have full code NAT, restricted code NAT, port restricted code NAT and symmetric NAT. Let's have a look at each one of them. Full code NAT is also known as a static NAT or one-to-one NAT. If a connection from a private IP and port is open towards the open internet, NAT creates a mapping between the internal IP port and the public IP port. Every subsequent packets from the same private IP port will be forwarded to the open internet as the public IP port pair. Let's now consider what happens if a connection with a destination the public IP port is requested. Full code NAT allows every connection with destination the public IP port pair from any source port in the internet to be forwarded to the private IP port. This could mean reply traffic from the just open connection or any other incoming traffic. Full code NAT is the most permissive form of restriction and it essentially is a form of port forwarding. A restricted code NAT or address-restricted code NAT works in a very similar way to the code restricted NAT. But these mechanisms place additional requirements on which external IPs can contact the private network. Same as full code NAT once a connection from the private network is allowed, a mapping for those public and private IP port pairs is created. Traffic from an open internet host received traffic from a host in the private network is always allowed. Note that in this case only the source IP address matter while the port number is not considered. If traffic for the private network reaches the NAT from an IP that was never contacted from an host in the internal network this traffic is dropped. If the NAT also restricts traffic to previously contacting IP port pair then we talk about a port restricted code NAT. Therefore traffic from a previously contacted IP port pair is allowed but traffic from that same IP but from a different port is blocked and so it's traffic from a different IP. It is important to notice that in this case the mapping between the private network IP port and external NAT IP port will remain the same for each time that the internal IP port will be used to contact any destination on the open internet. Assume therefore that this mapping has been creating and therefore this incoming traffic is allowed as we have seen before. In the same private network IP port is used to contact another host in the open internet then also this traffic will be allowed using the same mapping. If we want to specifically take into consideration which destination in the open internet host in the private network is talking to this case is covered by a symmetric NAT. In a symmetric NAT we have again that the main driver for creating a mapping in the translation table of the NAT router is a connection initiated by the IP host in the private network. And again incoming traffic is allowed only if the initiator of the exchange was a host in the private network. We are not showing incoming traffic here. However the destination host on port will be instrumental in creating a mapping for the NAT translation table. For example if a second connection is generated to a different IP and or port this will be stored in a different mapping. The major difference between port restricted cone and symmetric NAT is therefore in the mapping creation. We should also add that nowadays it is not that easy anymore to classify NAT in one of the above classes. And vendors can also implement variation of the above. I believe that the most important aspect to remember in case of NAT is the mapping between the internal and external NAT work and that they will reuse refuse incoming connection if a mapping is not yet present. And from a security perspective also that they will accept incoming traffic if a mapping is present. It is now time to discuss the security implication of NAT. Although designed with a different goal in mind NAT can however provide a sort of security bonus for a network. This is the case for example where NAT accepts incoming traffic only if an internal NAT host is contacting a certain external host while any other traffic will be dropped. However we should be careful here this is not a security feature. Blocking unwanted incoming connection is due to the fact that there is no mapping for the involved host in the NAT table and it is not due to an intentional security policy. Therefore although NAT might as a side effect aid in hiding the internal NAT work it does not implement access control and therefore it does not replace a firewall. Also once a mapping is in the NAT translation table traffic is allowed into the network. The underlying assumption is that this traffic is okay because an internal host has first initiate an exchange but this might not be the case. This in practice creates a hole in your perimeter. It is important to stress that a NAT is not a firewall although incidentally both create a checkpoint for the traffic entering and leaving the internal network. Their main functionality is different. While a firewall will inspect the packets to implement the access control NAT will only map internal and external IPs and ports. We can therefore say that the goal of NAT and firewalls are inherently different. NAT devices are also often criticized because they do not respect the protocol stack layer separation. NAT is implemented in routers which are network level devices. However NAT manipulates both network layer and transport level information in a packet. NAT might also interfere with the functioning of several applications especially the one relying on random ports. Thinking about forensic a NAT can also interfere with finding the region of malicious traffic. Once a NAT work is behind a NAT traceability of security incidents becomes a problem. Although one might rely on logging of NAT mapping in practice this is not done meaning that it is quite difficult to identify the host originating malicious traffic. Last for this list NAT may reduce the port entropy in the traffic visible to the open internet. This happens for example for NAT implementation that uses only a range of ephemeral ports for example ports higher than 50,000. Reduced entropy in source ports becomes a problem for protocols that uses port randomization for improving security. For example we have seen that a DNS resolver must use an unpredictable source port and an unpredictable query ID as a mean for protecting against cache poisoning attacks. If NAT remaps queries to a smaller range of protocols the protocol becomes more susceptible to cache poisoning attacks. The picture you see in the slides shows how in practice we are confronted with this issue. The figure is based on data collected at one of the authoritative name server in Surfnet and it is a scatterplot of the query ID on the x-axis and the source port on the y-axis. If those two parameters will be full random we should see only a noisy uniformly distributed set of data points. However there is among other anomalies a distinctively denser zone in the higher range of the source port for which NAT is one of the most likely causes by remapping outgoing queries to a port range roughly between 50,000 and 65,000.