One for the pros..

drak3

drak3

drak3

Associate
Joined
26 Jan 2006
Posts
1,502
Given how NAT works and todays standard of more than 2 people using the same connection/ external IP (flatmates etc.), how the security people deal with this situation?

All evidence of which host was leasing the internal IP are local to the router (ARP/IP tables local and router MAC/IP goes remote only).

I am not an "expert" (yet! :p), and would like to hear what the pros have to say on this interesting subject.

Thanks :)
 
You can track the connections through the firewall or router, most devices these days implement "PAT" or port address translations that tags your internal IP address with a randomised port number as it passes through the edge device, the device keeps track of this port number so that when the device receives a reply from an outside host it knows which inside host to forward the traffic onto.

Hence why it is referred to as "Port" address translation.

http://en.wikipedia.org/wiki/Port_address_translation
 
I'm not sure what your question is? How do you tell which user is which behind a NAT router? Well you can't but you'd never have to that I can think of... (if you've designed a decent network)
 
I ll give an example to clarify my question.

2 hosts -> Router (NAT) -> internet-> Server

Is it possible to tell which of the 2 hosts "attacked" the server if the router owner (admin) is not willing to share the ARP/NAT tables?

Hope is more clear now.
 
Curiosityx said:
You can track the connections through the firewall or router, most devices these days implement "PAT" or port address translations that tags your internal IP address with a randomised port number as it passes through the edge device, the device keeps track of this port number so that when the device receives a reply from an outside host it knows which inside host to forward the traffic onto.

Hence why it is referred to as "Port" address translation.

http://en.wikipedia.org/wiki/Port_address_translation
Click to expand...

I am familiar with address translation, thanks :) Sorry for the confusing question. Please see the example :)
 
drak3 said:
I ll give an example to clarify my question.

2 hosts -> Router (NAT) -> internet-> Server

Is it possible to tell which of the 2 hosts "attacked" the server if the router owner (admin) is not willing to share the ARP/NAT tables?

Hope is more clear now.
Click to expand...

Not without logs no, doesn't matter generally as the ISP will hand over the name of the account owner if the situation is serious and they'd be legally responsible until they proved otherwise.

Technically speaking finding which host behind NAT was responsible is obviously impossible in most situations but I really can't think of a situation where it would matter...
 
You must log in or register to reply here.
Back
Top Bottom