[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

NAT - SPECIFIC PORT FILTERING QUERY

I was wondering if when using 'NAT', would I even need to use 'ACL's as I will eventually be using 1 router but not decided on which type to get yet?

Assuming my 'router' would allow me to filter-out specific ports such as: ftp - 20/21, smtp - 25, pop3 - 110 and any other service that may or may 'NOT' require blocking of specific ports?
0
mikey250
Asked:
mikey250
  • 7
  • 4
  • 4
  • +1
7 Solutions
 
nociSoftware EngineerCommented:
Well NAT is not a security option, just a way to extend addresses. It does disrupt a lot of stuff, but that more or less a mishap.
Also IPv6 will get rolled out as the RIR's got their last address blocks last february. If they are through their address blocks the IPv4 addresses are done with... now new ones can be delivered anymore.

So you will have to look into setting up filters anyway.
0
 
eeRootCommented:
NAT allows you to bridge two networks that have different IP subnets.  ACL's give you granular control over what devices and types of traffic are allowed across an interface.  If your router is blocking ports, it is probably using an ACL to do so, even if it has a different term for it.
0
 
nociSoftware EngineerCommented:
not exactly NAT aalows the same subnet to be used at several places ==> reusing a lot of address that should have been unique.

Effectively in stead of 32 bit addresses there now are about 46 bits of address (part of the ports) now count as network address too.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Ernie BeekCommented:
Nat can be seen as a very basic security implementation when natting to a private ip range (which can't be routed over the internet). For natting from the inside to the outside you don't really need an acl unless you want to restrict internet access. When natting from the outside to the inside (for example to be able to reach an ftp server on the inside) I would ad vise to use an acl. You don't want your whole server exposed (all ports/services) but only one specific service.
0
 
mikey250Author Commented:
Hi thanks for your comments but I am aware that 'Nat' hides internal addresses from the public/internet ie all hosts on a LAN!!!  What I mean't was presumably when there is two-way communication such as send/receive of email on port 25 smtp/port 110 pop3 for example Im assuming I would then use an 'ACL' for these types of services.

expert erniebeek has answered my question more exactly!!
0
 
Ernie BeekCommented:
Adding one more thing: A rule of thumb would be that normally all incoming ports are blocked and you use ACL's to open a few of them.
0
 
mikey250Author Commented:
Hi noci, You mention about the following:

'Also IPv6 will get rolled out as the RIR's got their last address blocks last february. If they are through their address blocks the IPv4 addresses are done with... now new ones can be delivered anymore.'

'So you will have to look into setting up filters anyway.'

What are you saying above as from my mind, those companies who already & continue to use 'NAT' for small Businesses and no 'Routing protocols' because the network is too small then how would this affect their situation?

Im assuming you are referring to Corporations who overall will maybe only use 'NAT' to link something specific and for the others will use 'Routing protocols' as mentioned above, 'default-information originate always', Ip default-network, using private address ranges anyway linked to a public address provided via their ISP or whatever there companies connections provide!!

Im aware that IPv6 can be configured on a router 'Manually' with specific type hexadecimal shown in a group of 8.  Or automatically so that when a host pc receives an address from a dhcp it is given an IPV6 address, in 'ipconfig /all'.  Im aware that there is a specific IPV6 address for 'loopbacks' etc etc

So from my understanding if a network is built around the first version ie IPV4 then those clients/companies attached would also be part of IPV4 which we already know!!

If a company decided to update their network in addition and except also new technologies based on IPV6 for obviously new customers also then that company could add configurations within their routers and whatever devices needed these integrations in order to allow this.

So Im assuming as a client would originally be connected as an IPV4 client and after the ISP company had updated their network to include IPV6, which would also be configured with DHCP, then on the new reboot of a host pc and on doing an 'ipconfig /all' - I would see IPV6 details and addresses within.

I think that would then mean if this original IPV4 client who has now been integrated with IPV6 details could now communicate as normal to pure IPV6 clients or whatever!!

Unless manually IPV6 is configured in which case as I understand it this would only allow IPV6 clients/devices etc

That is my 'LAMENTS TERM' practical explanation of it so far which IS WHAT I NEED TO UNDERSTAND THE JARGON.

I am aware that there is more, but if Im told 'NO' to what I have stated above then I will not understand any and will have to go back to the drawing board as my explanations are for practically doing these tasks to get my head around the technical talk as the first step towards clarifty.

Somewhat off this main thread apologies!!
0
 
mikey250Author Commented:
Hi erniebeek, yes well after using 'ACL's then the 'explicit deny' command would automatically be configured although cannot be seen in the config from what I remember although apparantely configuring this manually is preferable!!

I would also run after all configurations 'SCW' to shut of all other possible services that require ports 'open' as another added layer of security for example!!
0
 
nociSoftware EngineerCommented:
You're almost correct.
If you have a real ISP delivering you one prefix (64bits, your still have 64 bits to enumerat your internal nodes..., the total address is 128 bits wide.)
So ANY organisation will get about one prefix, and can address 4billion * 4 billion machines internaly, should be suffiecient for any organisation.

IPv6 has auto configuration where a router tells it's subnet what prefix is used to get to the router from the outside, the clients start with appending it with their MAC address. (with privacy extentions, with a random address that is not in use).
So there is no manual configuration... (if you look at current windows systems you will see that IPv6 is already enabled by default, and probably is used internaly),

For IPv6 there is no need for NAT, it can be used if you realy insist on managing an extra service. But you have to manage traffic at the gate.
(btw IPv4 is already the 4th version (hence v4) of the internet protocol. not the first., v5 was used for internal studies only.)

For the IPv4 only world that will stop to grow, new services will use IPv6 only addresses at some point. Most probably sites in asia will get the first IPv6 ONLY access.


To access internal service you need to port forward (or hardcode a nat entry for those well known ports.
say port 25 on the outside get "wired" / connector to the internal ip of your mail server. if you have more that one mail server you have to fiddle stuff around as there is only one port 25 on the outside per IP address.


0
 
mikey250Author Commented:
Hi noci, thanks for that at least now I can start learning the terminology!!!!!!

Ive only been actually aware of IPV4 although yes I realise (version 4)!!!
Yes I do realise IPV6 is 128 bits wide now!
As far as Im aware at least in the UK most companies be it small or of corporation do still use IPV4 via Nt4 for some companies for all the reasons that me and you can think of ie one being cost and if it works dont fix it!!  And same for Windows 2000 although most people now probably have migrated across to Windows 2003 and maybe not much have migrated across to Windows 2008 platform unless new customers!!

Pc's being sold now are of 64 bit capacity which relates to Windows 2008 again I suppose cost again!!

Oh well I will end this conversation as I think that is enough for this thread anyway!!  I see now how this relates to 'NAT' so I appreciate the input!!!!!!!!
0
 
Ernie BeekCommented:
Glad we could help you comprehend :)
0
 
mikey250Author Commented:
So Im assuming now for those companies that sell IT hardware will sell both types ie IPV4 specifically and IPV6 specifically and then presumably there will be 'IOS' updates for those that can integrate IPV6 in the Hardware IPV4 types so that when configuring the router for example manually or via the 'Gui' it will add into the 'Built-in Dhcp' IPV6.  Just like Windows 2008 does when installed 'Dhcp'!!  Meaning no more use of 'NAT' in features!!
0
 
Ernie BeekCommented:
Well no, current hardware should normally be able to handle both
0
 
mikey250Author Commented:
Hi erniebeek,  I have a Netgear router from my local ISP with Virginmedia and I have not seen IPV6 as a feature but I will look!!  Either way thanks for advice!!
0
 
mikey250Author Commented:
Sound advice!!
0
 
nociSoftware EngineerCommented:
Currently in NL there is only one provider that since 2 years now distributes IPv6 optionaly, and since last year to EVERYBODY regardless.

All other providers are still shoveling this aside.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now