[Techtalk] To NAT or not to NAT?

Wed Nov 13 16:20:25 EST 2002

(this may be a little more than you wanted....)

On Wed, 13 Nov 2002, Michelle Murrain wrote:
<snip>
>
> So my questions are as follows:
>
> Obviously, I'm going to use NAT for machines in my internal network
> that aren't servers. But in terms of the servers, what are the real
> advantages of NAT besides "security by obscurity" which I know isn't
> sufficient, and, right now isn't necessary, since I'm using IOS
> access lists as well as ipchains/tables on my servers?
>

I'd probably put up a DMZ.  Instead of reverse NAT-ing back through the
firewall to publicly available servers, put them out in the publicly
addressible space, give them a public IP out of your set, and let the ACLs
on the router take care of only allowing that service to that machine.

Then firewall off your internal LAN with a NAT box.

Putting up a DMZ for things like mail, web, and DNS servers keeps you from
poking holes in the LAN firewall for those services and gives you better
control over what you're expecting to be going into and out of your
machines.  Keeping it cordoned off from your LAN also makes getting at
those machines more difficult, and you don't have to worry about whether
filtering traffic against the latest trojan is going to affect your public
services.

While this page
http://www.zyxel.com/support/supportnote/zywall/app/dmz.htm
is a discussion of a specific product, there is a nice picture of the
basic idea.  In your case, imagine putting a NAT box off the vertical
connection to the WAN router..  :)

(in general, you don't want to put all these networks on one router, as
then you have only one place that has to be compromised...)

> And, is converting from NAT to "notNAT" as simple as changing the IP
> address on a server? Are there changes in the config of the router I
> need to do (except getting rid of the NAT translation)?

You'll want to take off the NAT config, as well as any reverse NAT (port
forwarding) configs to allow in specific services.  give your servers
public IPs, and allow the router to accept new connections on the
designated ports only for the requested IP.

So if my public space is 192.168.1.0/27, i have the addresses 192.168.1.0
through 192.168.1.31, which is my broadcast, so i won't use it for a
server.  .0 is the network address.  i put my wan router on
.1.  i make my webserver .2, and tell the router to only allow inbound 80
to .2, and maybe disallow any outbound SYN traffic (connection initiation)
from .2 (this may have dns consequences, depending on where your dns
server is and if there is name resolution enabled in the weblogs...but
this would disallow an infected webserver from spreading a worm, etc).

same could go for https on 443.

for mail, i put my mail server on .3, allow inbound 25 to .3, and allow
outbound from .3 to 25 on *machines in the wild*.  i have to also make
sure the smtp server has dns connectivity.

for the NAT of the internal lan, i put my nat box on .17 or someplace (i
like to not put it in sequence with public services, but that's just
me...) and disallow all SYN inbound to that box.  all outbound from that
box is good, assumed to be from the internal LAN, and you can firewall
there as you like.

My boss at my previous job also threw a syslog server in the DMZ but only
allowed the servers to talk to it, and went crazy writing perl scripts to
track our traffic.  but that's just candy.  :)

I hope that was clear.  :)  it may be more than you want to get into, but
i wouldn't connect an internal LAN to the internet for a million dollars
if I was going to let someone else use any of the machines.
:)

--mandi