IP Addressing Services

White Paper

Network Address Translation and Stateful Inspection
in Cisco IOS Firewall for Network Security

The traditional role of firewalls has changed, and their functionality has increased from protecting a corporate network from unauthorized external access to preventing unauthorized users from accessing a particular subnet, workgroup, or LAN within a corporate network. FBI statistics indicate that seventy percent of all security problems originate within an organization. Twenty percent of respondents to a recent FBI survey reported that intruders broke into, or tried to break into their corporate networks within the preceding twelve months. Most experts agree that the majority of network break-ins go undetected.

Although Network Address Translations (NAT) systems can provide broad levels of security advantages, their main objective is to economize on address space. This document outlines advantages and limitations of using NAT alone, to distinguish the need for Cisco IOS Firewall advanced stateful inspection engine.

NAT Benefits

NAT allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. Sites that do not yet possess NIC-registered IP addresses must acquire them, and if more than 254 clients are present or planned, the scarcity of Class B addresses becomes a serious issue. Cisco IOS NAT eliminates concern and bureaucratic delay by dynamically mapping thousands of hidden internal addresses to a range of easy-to-get Class C addresses.

Conversely, sites that already have registered IP addresses for clients on the internal LAN must hide those addresses from the Internet, lest hackers directly attack the clients. With client addresses hidden, users enjoy some small level of security. Cisco IOS NAT gives LAN administrators complete freedom to expand Class A addressing, which is drawn from the reserve pool of the Internet Assigned Numbers Authority (RFC 1597). This occurs within the organization without concern for addressing changes at the LAN/Internet interface.

Cisco IOS NAT can selectively or dynamically perform NAT. This scenario allows the administrator to use a mix of RFC 1597 and RFC 1918 addresses or registered addresses. It is designed for use on a variety routers for IP address simplification and conservation. Cisco IOS NAT enables the selection of which internal hosts get "NATed."

Along with Cisco IOS NAT, Cisco IOS Firewall integrates NAT functionality with an inline, fully incorporated firewall that offers stateful security.

In general, a NAT system makes it more difficult for an attacker to determine:

NAT Limitations

Dynamic allocation requires state information that is not always available. Although TCP state information can be easily tracked and controlled, UDP traffic offers no mechanism at the packet header level to determine whether a packet is part of an ongoing conversation or if it is an isolated event. In such cases, when NAT systems have no additional security support, they need to guess how long a particular translation should be maintained. Cisco IOS Firewall provides functionality to set idle time on UDP sessions to limit such cases.

Embedded IP addresses are a problem for network address translation. NAT systems normally base translations on the information in the headers of packets; however, certain protocols, hide address information in other places, including the data portion of the packet. NAT systems must understand the protocol well enough to locate and modify these addresses, while preserving the validity of the packet itself.

NAT-sensitive protocols (i.e.: Kerberos, X-Windows, remote shell, Session Initiation Protocol (SIP)) are further described in the Internet Draft "Protocol Complications with the IP Network Address Translation". Another Internet Draft, "NAT Friendly Application Design Guidelines", explains how new application protocols can integrate smoothly with NAT. Note that there are still cases in which ALGs simply cannot "fix" packets modified by NAT.

Although Cisco IOS NAT offers advanced application-layer functionality, there are additional benefits to using it in conjunction with Cisco IOS Firewall: deep packet analysis, verification of source and destination, and checks to ensure protocol integrity.

Cisco IOS Firewall addresses many NAT translation problems. It extends the concept of static access control lists (ACLs) by introducing dynamic ACL entries that open on the basis of the necessary application ports on a specific application and close these ports at the end of the application session. Cisco IOS Firewall accomplishes this by inspecting the application data, checking for conformance of the application protocol, extracting the relevant port information to create the dynamic ACL entries, and closing these ports at the end of the session. This enables users to account for various protocols: Session Initiated Protocol (SIP), Selsius Skinny Station Protocol (Skinny Client Control Protocol (SCCP)), X-Windows, and remote shell.

NAT interferes with some encryption and authentication systems. Many data encryption systems attempt to ensure data integrity of packets in order to prevent tampering while in transit. NAT systems are in themselves, forms of packet tampering, and protocols must protect data so that NAT systems can work. Protocols with combined embedded IP addresses that are used in conjunction with NAT systems generally fail. One major exception to this rule is IPsec systems that protect the entire packet, including headers.

Use of NAT alone can also provide problems for logging. Dynamic allocation of addresses interferes with logging, as logging information may be provided after a translation. Correlation of logs with the NAT system can thus become highly complicated and tedious in order to understand which internal systems were actually involved.

Cisco IOS Firewall: A Step Beyond

Cisco IOS Firewall advances and augments NAT capabilities that are deployed as the sole method of network security with its advanced stateful inspection capabilities. In addition to determining if a packet can be routed towards its destination, Cisco IOS Firewall looks more closely at a packet to further determine whether a packet should be sent to a destination. The advanced stateful inspection engine in Cisco IOS Firewall also tracks the state of transactions and can thus act accordingly by forwarding, dropping, rejecting, and/or logging the packet. Cisco IOS Firewall furthers these capabilities with support for certain complex application protocols and can go into the packet to determine more explicitly the source, destination, and whether packet types should be allowed (both UDP and TCP). This type of inspection is especially necessary in installations that overlay voice and data on the same wire (i.e.: Cisco voice architectures that use H.323, SIP, or Selsius Skinny Station Protocol).

Incorporated into additional advanced security features, Cisco IOS Software also provides:

Network security design requires that corporations determine the level of implementation investment and the total cost of intrusion they can withstand. No single technology can provide the depth of security for today's network environments. The ideal application for Cisco IOS Firewall is in a multi-layered configuration across a variety of routers on the network—a configuration that is supported by today's foremost networking security experts and is endorsed in Cheswick and Bellovin's book Firewalls and Internet Security.

In order to ensure the most comprehensive level of protection, every network should include a broad cross section of security components to address accurate identity of users, access control to critical network applications and services, secure connectivity, appropriate monitoring, and ongoing security policy management.