1 / 11

An Analysis on NAT Security

An Analysis on NAT Security. Trojans - II Balachandar Sankar Pragadesh Rajasekaran. Agenda. Quick Glance on NAT Problems with NAT NAT Security IPSec Windows 2003 Server Issues with NAT Conclusion. Quick Glance on NAT. NAT - Network Address Translation

clay
Download Presentation

An Analysis on NAT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis on NAT Security Trojans - II Balachandar Sankar Pragadesh Rajasekaran

  2. Agenda • Quick Glance on NAT • Problems with NAT • NAT Security • IPSec • Windows 2003 Server • Issues with NAT • Conclusion

  3. Quick Glance on NAT • NAT - Network Address Translation • Enabling a Local Area Network to use one set of IP addresses for internal traffic. • Provides a single public address for a set of internal addresses. • Solution for deficit IPv4 addresses. • Provides firewall for internal network. http://www.sbbi.net/site/jafs/docs/upnp-nat.html

  4. Problems with NAT • IPSec is used to secure integrity of message and authentication. • NAT doesn’t support the actual functionality of IPsec. • IKE embeds the source IP address. • ESP encrypts header – TCP checksum & ports • Problem using Windows Server 2003 VPN servers behind a NAT device

  5. NAT security – solving IPSec • NAT-T • Adds UDP header encapsulating ESP header • Adds original sender IP address to NAT-OA (NAT Original Header) payload • Prevent problems related to ports, source IP address and TCP checksum. • IPSec in Tunnel Mode

  6. NAT Security – Windows XP SP2 • By default, the IPSec NAT-T security association is disabled. Consider the following situation • The Server-1 resides behind a NAT and the NAT is configured to allow IPSEc NAT-T traffic. • The Client-1, which is outside the NAT, uses IPSec NAT-T security association to connect with the Server-1.

  7. NAT Security – Windows XP SP2 (contd…) • Another client (say Client-2), which is inside a NAT, establishes connection with the Client-1 through IPSec NAT-T security association. • A condition may occur where the Client -1 may reestablish connection with the Client-2. This condition may cause the NAT-T traffic intended for client-2 to be redirected to Server-1.

  8. NAT Security – windows 2003 server • NAT-T - IPSec cannot be used when Windows Server 2003 VPN servers are used behind a NAT device since IPSec usage is compromised and chances for the packets routing to different machines are possible within NAT. • Solutions: • VPN servers public IP addresses can be used so clients can connect to them directly rather than through NAT. • Editing the windows registry to restore the ability to connect to servers behind a NAT with IPSec/NAT-T.

  9. Issues with NAT • Increasing the probability of mis-addressing. • NAT breaks certain applications making them more difficult to run. (incorrect ports) • Servers can’t be run within a NAT network unless configured. • Dynamic IP addressing by ADSL changes IP for every 20 hours. • Since all users behind Nat uses the same public IP address, information related to connectivity is lost

  10. Conclusion • NAT security issues are still being solved. • Though some major issues are solved, still the problem exists. • IPv6 will change the infrastructure of NAT.

  11. Questions ??

More Related