• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

NAT and security question

M

Mr N8

Diamond Member
I have been doing a lot (about 6 hours just today) on NAT. We have a company consulting with us, and they are wanting us to start using NAT. They say that it is for security purposed. From all of the reading that I have done, I gather that NAT is a tool that is more focused on the preservation of IP addresses by using private addressing internally and using 1 or a small pool of addresses assigned by a NAT router. I would assume that using a NAT router is no safer than using a firewall.

This is what my network looks like:
I run a private addressing scheme. I have one main office and 8 branch offices. The main office acts as the central hub for all of the networks. Each branch has its own sub-domain, which connects to our main branch via a 64k digital circuit. Our main branch has internet connectivity via ISDN through a local company that provides a variety of services to financial institutions. They have a firewall between us and their router, and also a firewall between their web router and the internet connection.

I guess I am failing to see where the need for NAT comes in. The biggest reason is because the consultant seems to be full of buzz words, and not facts when it comes to the network. If someone could offer some insight into this situation, I would appreciate it. I could be entirely wrong, and there could be a good reason for using NAT. Thanks for the help.

Nate

 
NAT is a security tool if used properly.

What it does is prevent inbound connections (sort of). With NAT no inbound connection can be made to internal machines. period.

It is generally used on some kind of statefull inspection firewall that tracks TCP and UDP traffic flows/conversations.

-ps- 99 percent of business networks use NAT.
 
OK, I do have a question about it, still. Can I still use my static addressing on my network, and have it work with NAT? This man now tells me I have to implement DHCP, which would cause our main software to no longer function. This doesn't seem to phase the man, because he assumes that the book is always right. Thanks.

MM
 
If u are running static internal Ip's, isnt that already NAT?

You do not need DHCP to run NAT. I have static IP's on my LAN and have a block of 10 Ips that I will allow for DHCP.

BTW, u may want to look into hiring another consultant as this one does not seem to be doing the proper job/oofering proper solutions for you.

 
Originally posted by: mboy
If u are running static internal Ip's, isnt that already NAT?

You do not need DHCP to run NAT. I have static IP's on my LAN and have a block of 10 Ips that I will allow for DHCP.

BTW, u may want to look into hiring another consultant as this one does not seem to be doing the proper job/oofering proper solutions for you.
Click to expand...

I've tried to tell management that this company isn't doing anything for us, as I havn't been able to figure out what they are supposed to be doing. They just tell me to go with it.

You make a good point, though because the IPs that we use are not used outside of the network, so I guess it would be considered NAT, even though we don't have a NAT box. I'll have to think about that one. Thanks.

 
I imagine all of your LAN pc's can access the internet correct? What are u using to connect to the main branch (hardware for the 64k digital circuit?)

I also imagine you have your gateway plugged into your LAN Pc's manually (they should all be pointing to the same gateway. What is this IP addy attatched to (hardware device again which should be the same as used for your 64k circuit)?
 
Yes, all Lans connect through a router with a csu/dsu modular unit. The gateway is the router that is attached to out ISP.
 
NAT major strength is in preventing uncalled entries, thus by itself it is not ?Secure? You need a good combo of NAT, and supplement software to insure both in and out safety.

The following link discusses the issue for Entry Level Home System, but it can give you the idea of what you have to look at.

Basic Protection for Broadband Internet Installation.
 
Originally posted by: MogulMonster
Yes, all Lans connect through a router with a csu/dsu modular unit. The gateway is the router that is attached to out ISP.
Click to expand...


What type of router are u using? I would venture to say that it at least already has NAT enabled, so you can tell your consultant you are running NAT already (actually tell your Boss that). I additional security is needed, you could throw a PIX or even easier, a Sonicwall pro behind the router aqnd you will be super safe with in/out Access control lists, Stateful Packet Inspection, content/domain filtering etc.
 
I've gone to shield's up before, and gotten good results. I just went, and my IP was not properly identified, so I assume that as far as my IPs being seen on the net I'm fine. It was also not able to identify any open ports on the port scan. I printed the info, and maybe I can talk some sense into this guy. We'll see what happens next. Thanks for all the help.
 
We are using Cisco 2600 routers right now. I've only been at this company for a few months, and I was hired to work with the IT staff. Come to find out I am the IT staff, so every day tends to be a new challenge. Thanks for the help. I've been working since 1am. I really need to get some sleep. 😉
 
tell him u are already running NAT and are behind 2 seperate firewalls before u even hit the internet.
Better tell your superirors this guy is a clown!

Better yet, challange him in front of your boss. Say" If I am behind a router here and all my LANP Ip's are private, how is that NOT NAT? Aslo, ask him to explain why he does not feel you are already secure being that you have a firewall between your branch and the main office where your Internet connection lies, and then another firewall from that office to the internet?
See what he says? Dont ask like a D!ck, but ask like you are concerned about what he is recommending since you already seem to have it all in place.
He is just trying to get more work out of you guys.
 
Did I hear that right?

You have 2600's, which run the cisco IOS, and the consultant wants you to use NAT for security?

 
Originally posted by: Fatt
Did I hear that right?

You have 2600's, which run the cisco IOS, and the consultant wants you to use NAT for security?
Click to expand...

Yes sir, that is what he is saying. As of yesterday, it looks like the administration finally saw what I did (with a little help from myself and a suggestion from mboy). He made a fool of himself, by cathcing himself in some lies. I think he is out the door by the end of the week, and my job is more secure. Thanks for the replies.

Mogul
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top