3. Traceability

One of the biggest problems with NAT is that individual systems no longer have a unique identifier on the public side of the gateway. This poses considerable problems when it comes to network abuse, such as security incidents or copyright violations, as there is no longer any means of isolating a particular host at the level of the backbone network, nor can OUCS's central logs identify the individual host concerned.

The requirement for traceability is described in detail within the OxCERT documentation on Logging of network usage, and has a section on NAT. Please read this and ensure that you are able to comply with OxCERT's expectations. Bear in mind that even if you are logging all necessary information, OxCERT will in general have no immediate access to your logs or to any means of restricting network access for an individual system within your network. Severe threats may require immediate action, including a complete IP block against your NAT gateway. Also worth bearing in mind is the type of NAT traversal i.e. "cone" or "symmetric" NAT as defined in RFC3489. Use of "cone" NAT traversal could adversley affect traceability on busy networks as inbound traffic may be incorrectly associated with a given internal host.

To avoid your NAT gateway being mistaken for a standard host, OUCS strongly recommend that you give it a distinctive name in the DNS, for example student-nat.unit.ox.ac.uk. High traffic levels or usage patterns which would be abnormal for a single host might reasonably be expected of NAT gateways. In the past, the lack of distinct labelling has caused blocks to be placed NAT gateways as a result of relatively mild security problems or copyright infringements. This may be standard practice for a single host, but where there may be considerable collateral damage against unaffected hosts, this will be taken into account before imposing a block against a NAT gateway. Immediate blocks against known NAT gateways will only be imposed in those cases where the immediate risks to others outweighs the disruption caused by cutting off network access to all hosts behind the NAT.

Up: Contents Previous: 2. Disadvantages of NAT Next: 4. Summary