NATs Not Without Trouble

 
 
By eweek  |  Posted 2001-06-11
 
 
 

A network address translation (NAT) device increases security, making it more difficult for hackers to find your clients network. Couple NAT with a stateful inspection firewall (with a properly configured rule set), and youve got a sturdy defense in the making. NAT, however, is not a universal panacea and takes a bite out of functionality.

Stateful packet inspection firewalls keep track of TCP connections, raising the likelihood that they will detect unwanted traffic. NAT, which translates a single, Internet-routable IP address into many nonroutable addresses on the LAN, either opens ports wide or blocks them completely with no regard for connection state. The important difference is that if a user makes a Web page request and the response is not a Web page, the stateful packet inspection firewall will deny it, while NAT will let it through. While difficult for the masses, elite hackers can compromise NAT with relative ease by using techniques such as session hijacking.

All of the devices we tested employ NAT as their first line of defense. Only the NetScreen-5XP and SonicWall SOHO2 allow NAT to be disabled, leaving the firewall as the primary defender. That is especially important for videoconferencing or VoIP applications. With NAT, only one internal device can accept traffic on a single port. Any office using IP phones, for example, wont be able to use NAT (unless its one-to-one NAT) because each phone needs its own port assignments. These applications are only possible with multiple internal devices, each of which is associated with its own port and IP address, which must be Internet-routable.

Rocket Fuel