The way NAT is implemented, machines that accept inbound traffic have
static translations. These machines are subject to attack because all
inbound packets just have the address changed and are forwarded. They
are however subject to packet filtering so it is possible to limited the
ports that can be reached. Thus the advise on security patches and good
All outbound hosts are assigned exterior addresses from a pool. The
assignment is dropped when there is no activity for a period of time.
Inbound packets to addresses that are not static assignments are dropped
unless they are on part of an existing session (have the proper
destination, port and sequence number, etc.)
Hosts with static translations are subject to the same attacks that any
host behind a packet filter is. These include:
Exploits of the service daemon or application - Web server,
Source Address Forgery
Faulty or Forged Port Services
Random Port Services (>1024)
ICMP Redirects & Source Routing
Virus and Bomb Infected Packets
Denial of service attacks - SYN, ICMP and mail floods, ping of
In addition hosts are subject to sequence guessing attacks when they
have an outbound address assignment from the NAT pool. You can always
monitor the traffic coming though the router and put additional
protective measures on your hosts (e.g., tripwire, tcpwrapper, etc.). If
you discover that you need more security you can always add it.
> -----Original Message-----
> From: grant janssen [SMTP:grantj @
> Sent: Tuesday, November 25, 1997 11:39 PM
> To: Stackpole, Bill
> Subject: Re: Network Address Translation Security
> I appreciate your response. It also seemed to me that implementing
> NATshould be "pretty secure".
> But how vulnerable will I be?
> What type of attacks am I unprotected from?
> I don't giva a damn about most of the systems on the network, just
> big SGI machines.
> I plan to leave sendmail off on the IRIX systems. This should close
> my biggest security hole.
> Thanx again -Grant