Computer people: NAT question

by seattleniceguy 14 Replies latest jw friends

  • seattleniceguy
    seattleniceguy

    Hello fellow geeks,

    I have a question regarding visibility of devices inside a network behind a router running network address translation. I have a router providing internet access to several machines / devices on a private (192.168) network in my house. My question is, are these devices completely invisible to outside requests? It seems like they would have to be, since it would not be possible to route a packet from the outside using the IP address of a device inside the network. But the router is visible from the outside, so is it possible to trick the router into forwarding packets to devices on the private network?

    The main reason I'm asking is that I recently bought a network attached storage device for my office. Having a 160GB shared drive on the network makes life a lot easier for me when I'm working with my graphic designer. Windows sees the drive as a network share, and it is possible to put basic security on the shared folders. My question is: is it necessary? Is it even remotely possible for someone outside of my network to connect to - or even see - this device?

    SNG

  • FMZ
    FMZ

    SNG, yep, pretty much everything on the inside of it is invisible to the outside. The only way to get it to route packets to other computers is to specifically tell it which ports to forward to which computers. Otherwise, it acts kind of like a natural firewall.

    A few of them have exploits, just like any other piece of hardware / software, but for the most part they are pretty damn secure.

    FMZ

  • Euphemism
    Euphemism

    Yep, what FMZ said.

    If I were you, I would still do basic Windows authentication on the NAS. It's what they call "defense in depth"--it's always better to have multiple layers. But it's only an issue if someone cracks your router. (Or gets a trojan on your PC, of course; but in that case the auth wouldn't help you either.)

  • PopeOfEruke
    PopeOfEruke

    Seattleniceguy,

    sell your router and get a life!!

    I wish I could!

    Pope

  • Quotes
    Quotes

    SNG, you are correct. The devices inside your NAT are not visible to the outside world.

    Assuming the NIC in the router is not promiscuous, the internal traffic between the NAS and your other systems should be ignored. But, I speculate, if the NAS device tried to initiate contact with/through the router (Windows NetHood browsing?) then this is potentially a problem. I'll assume that this would never happen, and if it did, the NAT/Router would probably just dump the packets; but better safe than sorry. I concur with the suggestion to use Windows security anyway.

    Don't forget to check your system for weakness: http://www.grc.com/default.htm

  • FMZ
    FMZ

    Well, since we are talking NAT... I have a quick question.

    Now, ignoring all warnings about how much of a security risk I would be enabling...

    What ports would I forward to allow SMB shares from my server to the outside world? I have the range 135-139 forwarded to my SMB server, with no luck.

    Again, I know this is a dumb thing to do, and I don't want to do it for any kind of productive reason... it just bothers me that I couldn't do it even if I wanted to. Any ideas?

    FMZ

  • Quotes
    Quotes

    FMZ, I don't know. I've never tried that -- pretty dangerous stuff!

    Personally, I would try setting up an FTP server (at an obscure port, like 2600 instead of 26) and just use (password protected, not anonymous) FTP. Or use Secure FTP (SFTP). Or use FTP after tunneling in with SSH.

    A thought: did your experiment fail (perhaps) because your ISP is deliberately blocking those ports upstream, to protect L-Users from unintentionally connecting thier Windows shares with the world? I wouldn't be surprised.

  • FMZ
    FMZ

    Quotes, it's possible I guess... I know they do that with the SMTP and POP3 ports. Thankfully HTTP goes through with no probs.

    SFTP is definitely the way to go. And again, this was not really for practical purposes. It just bugs me when I know something (albeit stupid) can be done, but I can't manage it. Thanks for the suggestion tho mate :)

    FMZ

  • seattleniceguy
    seattleniceguy

    Thanks guys! You're the greatest.

    Yes, I am using basic authentication anyway, but I just wanted to know for knowledge's sake. Also, I might create one unprotected shared directory, that contains nothing but encrypted files. But I wondered whether it would be theoretically possible to see the directory structure, etc.

    Anyway, that's for the clarification!

    SNG

  • donkey
    donkey

    SNG,

    You have a single point of fallure in the scenario you described. For a motivated hacker if they can hack the router then they have routable access to any connected machines on the inside perimeter. The short answer is that it all depends how paranoid you want to be. Anything more sophisticated hardware solution will cost money as you will likely add additional computers and routers to segment the network.

    Bottom line: I would doubt that any hacker might be motivated enough to hack your router.

    On the other hand If I was motivated to hack you (BTW I am not motivated) I would not attack the "wall" but would use a "trojan" or "worm" that would be granted permission by you and have it log keystrokes or scan the drives on your internal pcs. You are well served to pay closer attention to your email and surfing habits as points of vulnerability vs guarding the outer perimeter.

    Good luck,
    Donkey

Share this

Google+
Pinterest
Reddit