Security Basics mailing list archives
Re: Basic NAT / Firewall Question
From: Christopher Stromblad <cs () outpost24 com>
Date: Fri, 18 Aug 2006 23:01:09 +0100
Never apologize for asking questions, I don't :) There are two basic types of NAT (Network Address Translation) which you need to understand. 1. NAPT (Network Address Port Translation) commonly referred to as simply NAT. 2. Static NAT. NAPT simply maps port numbers to a given address. Take your OWA example, we are very likely talking about a port translation. The firewall has been instructed to forward all incoming connections on port 80 (and/or 443). This involves a step process: 1. A remote client decides to connect to your OWA server. A packet is sent your way. 1. Your firewall will make a note from where the connection was originally coming (SRC address and SRC port) and then re-write the IP header and possibly the TCP/UDP header. It substitutes the SOURCE address and possibly the SRC port (where the connection was coming from) with its own address and then sends this "new" packet out on its local network interface. (The internal network for example). 2. The OWA server will process the request, and reply back to, what it think, is a connecting client. 3. When the OWA reply reaches the firewall it will remember that this packet was actually from another address and will now replace the old substituted details with the original data. Now however, they will be put as DESTINATION address and port. So, when you do a portscan of your external IP it will be affected by the firewall yes. If the firewall was to take ALL network traffic and send it to the NATed address then we would talking about a static NAT. So it really depends on which type of NAT you are using. Either all traffic go to a specific IP address (not entirely true, but that's besides the point in this example), or all traffic destined for a certain port will be forwarded to a given IP address. So you are correct about your last assumption, you will only be scanning the 1 port. Well nmap will with default settings scan a few thousand specific ports, but only one port will respond, your OWA one. (Assuming no other ports are NATed. At this late hour I'm not entirely sure if it's possible to figure out a way to determine if a server is NATed or not. What you can do is something called TTL ramping. It might be somewhat complex to understand if you are just beginning to play around with networks. The IP header has a field call TTL which stands for Time To Live. For each hop your packets go through this value is decreased by one. It is used to prevent packets from getting into trouble, like endless routes et cetera, anyhow. What you do is you set this value to 1, and then you keep increasing it by one until you reach the external IP address. When you've got the correct value you construct a "real" packet and send it to the server. What will happen here however is the interesting part and might also be the part which makes this whole idea fail. When the packet reaches the firewall it will check the TCP/UDP header for the DST port. Say this is 80, but the TTL value in your IP datagram is 0, the packet will not be able to reach its destination and the firewall will reply with an ICMP message of type 11 (Time Exceeded). But, if the DST port was 81, or anything else, and has nothing waiting on the other end, the firewall might simply drop the packet or reply back saying, connection refused. So in this case, it would show that the firewall is actually NATing an address on port 80. If the firewall was blocking it would instead reply with a connection refused immediately. Hope this helps, and mind you, I'm no expert so I might be wrong here ;) // Christopher thatch wrote:
forgive me if this question seems pretty basic but could anyone tell explain this to me. i'm performing a practice assesment and i have located an IP of a web based mail server (OWA). this server is sitting behind a hardware firewall (say PIX or Checkpoint)that is NATing the IP Address to an internal non-routable address. Now, if i use a tool such as Nmap to scan that external IP are my scan results influenced by the Firewall. Do firewalls when NATing take all traffic from the external IP and pass it to the internal nertwork and expect the server to have the remaing services closed down or do they only take traffic destined for a port and drop everything else. if it's the later, when i scan am i only scaning the 1 port that is allowing traffic to be forward to it? Is there a way of determining if the firewall is blocking the traffic to the other ports or if the Server has been locked down and is blocking them? Any help would be appreciated. Regards Thatch
-- Christopher Stromblad Security Architect 90 Long Acre Covent Garden London, WC2E9RZ cs () outpost24 com www.outpost24.com t :+44 (0) 207 849 3097 m :+44 (0) 771 725 8053 f :+44 (0) 207 849 3140 ==================== This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Basic NAT / Firewall Question thatch (Aug 18)
- RE: Basic NAT / Firewall Question Fred McFeeters (Aug 21)
- Re: Basic NAT / Firewall Question List Spam (Aug 21)
- Re: Basic NAT / Firewall Question Christopher Stromblad (Aug 21)
- RE: Basic NAT / Firewall Question David Gillett (Aug 21)
- <Possible follow-ups>
- Re: Basic NAT / Firewall Question ricky (Aug 21)
- Re: Re: Basic NAT / Firewall Question anon (Aug 22)