Question

Network Address Traversal (NAT) allows multiple LAN machines with private IP addresses to communicate with Internet based servers using one public IP addresses. Virtual Private Network (VPN) allows external access to internal LAN resources by creating a secure 'tunnel' between the remote machine and the firewall.

Both of these techniques are widely used in corporate networking today, yet both involve inherit risks. Can you think of some ways that configuring these protocols could pose a security risk? Respond with your thoughts.

Answer 1

1. A VPN involves the transfer of encrypted data wrapped with a header containing routing information. This process enables the data to travel securely over a shared or public network to reach its endpoint.
2. From the user's perspective, the VPN connection is a point-to-point connection between the user's computer and a corporate server.
3. Data packets passed over the public network in this way are unreadable without the decryption keys, thus ensuring that data is not disclosed or changed during transmission.
4. VPN remains a viable option for securing data transferred over public Wi-Fi.
5. Third parties, such as vendors, contractors and suppliers, could pose risks by accessing corporate resources in an insecure manner.
6. Of course, it is not just employees working remotely who could endanger the security of corporate data and networks.
7. A VPN is just one way to reduce security risks from third parties.
8. in NAT configuration all the public IP addresses need to be unique. Note that the global addresses used in static translations are not automatically excluded with dynamic pools containing those same global addresses.
9. Dynamic pools must be created to exclude addresses assigned by static entries.
10. NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet.
11. NAT translates the private (RFC1918) address in the internal network into legal routable addresses before packets are forwarded onto another network.
12. An application layer gateway (ALG) is used with NAT to translate the voice packets.
13. The NAT virtual interface (NVI) feature removes the requirement to configure an interface as either NAT inside.
14. The NAT integration with MPLS VPNs feature allows multiple MPLS VPNs to be configured on a single device to work together.
15. NAT can differentiate from which MPLS VPN it receives IP traffic even if the MPLS VPNS all use the same IP addressing scheme.
16. This enhancement enables multiple MPLS VPN customers to share services while ensuring that each MPLS VPN is completely separate from the other.
17. There is support for IP Security (IPSec) Encapsulating Security Payload (ESP) through NAT and IPSec NAT Transparency.
18. The IPSec NAT transparency feature introduces support for IPSec traffic to travel through NAT or PAT points in the network by addressing many known incompatabilites between NAT and IPSec.
19. The IPSec ESP through NAT feature provides the ability to support multiple concurrent IPSec ESP tunnels or connections through a Cisco IOS NAT device configured in overload or Port Address Translation (PAT) mode.
20. Since the NAT will examine all the incoming and outgoing data packets to maintain the connection table and another data record in the processor memory so the overall process will require huge capacity storage and time-consuming.
21. There is no such specified set of protocols which is specifically been used for NAT. But the translation comes under the Internet protocol (IP) suite. Also, the TCP protocol is used for translation while performing the NAT by the routers.
22. Set the wireless router in the bridged mode,Create PPPoE connection between router and modem,Enable DMZ in modem through resolve the double nat problem.
23. The solution to this limitation of IPV4 addressing scheme is to recreate the addressing system so that there could be more options for allocating addresses.
24. Because some NAT implementations accidentally provide some firewalling, there is a persistent myth that NAT provides security. It provides no security whatsoever.
25. For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client. The net effect would be precisely the same as if the client had the outside address of the NAT device.
26. It is the firewalling that provides the security, not the NAT. The purpose of NAT is to make things work.
27. These include VPN hijacking, in which an unauthorized user takes over a VPN connection from a remote client, man-in-the-middle attacks, in which the attacker is able to intercept data, weak user authentication, split tunneling, in which a user is accessing an insecure Internet connection while also accessing the VPN connection to a private network, malware infection of a client machine, granting too many network access rights, and DNS leak in which the computer uses its default DNS connection rather than the VPN's secure DNS server.
28. support for strong authentication,digital certificate support,strong encryption algorithms,support for anti-virus software and intrusion detection and prevention tools,strong default security for administration and maintenance ports and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private.

29. Another way to improve VPN security is through perfect forward secrecy (PFS). If PFS is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised.

30. With PFS, each VPN session uses a different encryption key combination, so even if attackers steal one key, they will not be able to decrypt any other VPN sessions.