In terms of security, NAT provides a layer of protection by hiding the private IP addresses of devices within the internal network.
For example, let's say you have a home network with several connected devices, such as computers, phones, and tablets. Without NAT, each of these devices would have a public IP address, making them easily identifiable and vulnerable to attacks from the Internet.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
By implementing NAT, these internal devices share a single public IP address, making it difficult to identify and attack each device individually.
In addition, NAT works as a basic firewall, as it automatically blocks unsolicited traffic from the Internet to internal devices. Thus, NAT allows only connections initiated from within the network, which minimizes the chances of an external attacker accessing internal devices.
Protection measures
However, NAT alone is not enough to ensure the security of our internal networks. Therefore, it is essential to complement this technology with other protection measures. Some of these additional strategies include:
1. Implement a firewall
A firewall is a security tool that controls and filters data traffic between an internal network and the Internet. Helps block unauthorized traffic and protect internal devices from potential threats.
2. Use antivirus software
Antivirus software is essential to protect our devices from malware and other cyber attacks. Furthermore, keeping it updated is crucial to ensure its effectiveness.
3. Set up your wireless network securely
This involves using strong passwords and enabling encryption, such as the WPA3 protocol, to protect data transmission.
4. Keep software and operating system up to date
Internal devices must be updated regularly to fix possible vulnerabilities and avoid being targeted by attacks.
What does it mean that NAT acts as a basic firewall?
NAT, functioning as a basic firewall, provides an additional layer of security to our internal networks. Although not as comprehensive as a dedicated firewall, it is crucial to understand how NAT contributes to the protection of our devices and data.
Below, we will explore in detail how NAT acts as a basic firewall and its limitations in terms of security.
1. Packet filtering
NAT acts as a basic packet filter by automatically blocking unsolicited incoming traffic from the Internet to internal devices. This is achieved through the address translation process, where NAT checks whether the incoming traffic is a response to a request previously initiated from an internal device. If it is not, the traffic is discarded, preventing external attackers from directly accessing internal devices.
2. Hiding internal IP addresses
NAT protects the private IP addresses of devices within an internal network by allowing them to share a single public IP address. This masking makes it difficult for an external attacker to identify and attack a specific device because they cannot see the private IP addresses behind the shared public IP address.
3. Preventing brute force attacks
NAT can help prevent brute force attacks targeting the internal network. By blocking unsolicited traffic, NAT prevents an attacker from trying different password combinations or searching for vulnerabilities on internal devices.
Limitations of NAT as a firewall
Despite these benefits, NAT has limitations as a basic firewall:
1. Lack of packet inspection
Unlike a dedicated firewall, NAT does not examine the contents of data packets passing through it. Therefore, it cannot detect or block malware, viruses or other threats hidden in permitted traffic.
2. Lack of advanced security policies
NAT does not allow the implementation of advanced security policies, such as application control, web content filtering, or intrusion prevention. These features are essential to protect the internal network from more sophisticated threats and are available in dedicated firewalls.
3. Limited protection against insider attacks
NAT focuses on protection against external threats, but cannot defend the internal network from attacks initiated from within, such as disgruntled employees or infected devices. A dedicated firewall can offer additional protection in this regard.
Can NAT be hacked or violated?
Yes, although NAT provides a basic layer of security, it is not foolproof and may be vulnerable to certain types of attacks or hacking techniques. Below are some of the ways NAT could be compromised:
1. NAT table overflow attacks
NAT devices maintain an address translation table that contains the mappings between the internal IP addresses and the public IP address. An attacker could attempt to flood the NAT table with multiple false requests, causing a table overflow and exhausting the NAT device's resources. This could result in a denial of service (DoS) or allow the attacker to access the internal network.
2. Reflection and amplification attacks
In this type of attack, an attacker sends forged requests to vulnerable servers using the victim's public IP address as the source address. The servers respond with a large amount of data directed at the victim, causing a denial of service (DoS). Although NAT is not directly compromised in this scenario, your shared public IP address could be used to launch these types of attacks.
3. Vulnerabilities in the implementation of the protocol
Some NAT implementations may contain vulnerabilities in the way they handle certain protocols, such as Dynamic Host Configuration Protocol (DHCP) or Secure Hypertext Transfer Protocol (HTTPS). An attacker who exploits these vulnerabilities could gain access to the internal network or intercept sensitive information.
4. Brute force attacks on open ports
Although NAT makes it difficult to identify individual devices, some ports may be open to allow certain incoming connections, such as online gaming services or video calling applications. An attacker could attempt to exploit these open ports through brute force attacks or by searching for vulnerabilities in applications that use them.
Examples with MikroTik RouterOS
To improve NAT security on a MikroTik device, you can implement the following settings:
Example 1: Packet filtering on the firewall
Packet filtering in the firewall helps block unauthorized traffic and protect the internal network. You can configure rules in the MikroTik firewall to allow only necessary traffic and block the rest.
Configuration:
- Access the web interface of your MikroTik device or log in to the router using Winbox.
- Go to “IP” > “Firewall” > “Filter Rules” and click the “+” button to add a new rule.
- Set the string to “input” and the protocol to “tcp”. Enter the range of ports you want to block in the “Dst. Port.”
- Set the action to “drop” to drop packets that match this rule.
- Repeat steps 2-4 to add additional rules as needed.
- Make sure the rules are ordered correctly, with the “allow” rules before the “block” rules.
# Reemplaza "tcp_ports" con el rango de puertos que deseas bloquear, por ejemplo, "80,443"
:local tcp_ports "tcp_ports"
/ip firewall filter
add chain=input protocol=tcp dst-port=$tcp_ports action=drop comment="Bloquear puertos específicos"
Example 2: Limit the number of new connections per second
Limiting the number of new connections per second is a technique to protect your MikroTik device from NAT table overflow attacks. This setting reduces the risk of an attacker flooding your device with fake requests.
Configuration:
- Access the web interface of your MikroTik device or log in to the router using Winbox.
- Go to “IP” > “Firewall” > “Filter Rules” and click the “+” button to add a new rule.
- Set the chain to “forward” and the protocol to “tcp”.
- In the “Advanced” tab, select “tcp flags” and check the “syn” boxes in “Flags” and “syn,!ack,!fin,!psh,!rst,!urg” in “No Flags”.
- On the “Extra” tab, enter a low value in the “Limit” field (for example, 10/s) to limit the number of new connections per second.
- Set the action to “drop” to drop packets that match this rule.
- Make sure the rules are sorted correctly in the “Filter Rules” list.
# Reemplaza "10" con el número de conexiones nuevas por segundo que deseas permitir
:local connections_limit "10"
/ip firewall filter
add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=drop limit=$connections_limit,s src-address-list=!allowed comment="Limitar conexiones nuevas por segundo"
Be sure to customize the values according to your needs and security requirements before applying the configurations.
After entering the code on your MikroTik device terminal, check the rules under “IP” > “Firewall” > “Filter Rules” to make sure they have been applied correctly.