Security and NAT Gateway for the Munich Scientific Network (MWN)

Systems within the Munich Scientific Network (MWN) with private IP addresses need an official IP address for many Internet services. The change from a private address to an official one is done by means of a so-called NAT gateway. At the same time, different security checks are carried out at this key point.

Preliminary Remark

Every computer needs an IP address in order to communicate in the Internet and MWN (Munich Scientific Network). Computers with private IP addresses that have been assigned by the LRZ can communicate within the MWN without any further steps, but they cannot go beyond the bounds of the MWN and into the Internet. In order to allow these computers to pass beyond the MWN bounds, the LRZ operates a central NAT gateway, which we call by the project name Secomat.

The first version of this gateway was known by the name NAT-o-MAT. It will take some time for this old name to disappear completely, so you may still encounter it from time to time. We found the change in name to be appropriate because the main job was noticeably moving towards a security function. This document now uses only the new name Secomat.

NAT stands for "Network Address Translation" and means the conversion of the IP address from a "private" IP address into a "public" one. As its name already suggests, the scope of the Secomat's function goes beyond this, however: for example, it can limit the data transfer rate or recognize and prevent various attack scenarios (including port scans, denial of service, spam).

Important Note:

Separate routers, gateways and proxy servers are operated in some student residences (such as in the Freimann Student City). Internet access is not made possible here over the LRZ Secomat.

NAT

IP addresses in certain ranges (such as 10.155.1.1) are identified as private (RFC 1918), because data packets with such IP addresses are not forwarded - routed - in the Internet.

If a computer has a private IP address, no packet from the Internet can reach it directly. Computers with private addresses are consequently automatically protected against (hacker) attacks from the Internet. In the same way, however, no data packet with a private IP address can leave the MWN or uses services outside the MWN. Private IP addresses consequently protect against accesses from the Internet, but also prevent data from going out. For more information, see: What is the advantage of private IP addresses?

NAT is one possibility for overcoming the restrictions of private IP addresses when necessary. A NAT gateway gives requests with private IP addresses a public IP address that can be used globally in the Internet as the sender; these requests are then forwarded into the Internet. This procedure is called Source NAT and is also used, in principle, by many DSL routers.

Source NAT (SNAT) ensures that connections only come about if they are set up from within the private network, but not from outside (the Internet).

Preventing Port Scans, Denial of Service, and Spam Attacks

To prevent scan and DOS or DDOS attacks that originate in computers in the MWN, the number of packets from and to certain destinations are observed:

  • Computers that want to reach a certain destination port on many destination computers with their source IP are carrying out a DOS or scan attack if more than 10 packets per second are sent off.
  • Computers that want to contact a single destination computer with many source IPs are carrying out a DDOS attack if more than 10 packets per second are sent off.
  • For the TCP ports 80 (HTTP, WWW) and 443 (HTTPS),  the limit is 100 packets per second.
  • For port 25 (Mail), the limit is 6 connections a minute.

If one of these limits is exceeded, the computer is given a "penalty point." If 120 penalty points are accumulated with a sliding time frame of 15 minutes, it is assumed that the computer is displaying abnormal communication behavior and may possibly be compromised (for example, by a virus). This computer is then automatically blocked for Internet access. The browser on the blocked computer is forced to a WWW page that contains Information on the block and a link to the LRZ antivius page. If the number of penalty points falls below 120 again within 15 minutes, the computer is unblocked, again automatically.

The policies for traffic shaping and the blocking of unwanted packets are described in more detail here.

Important Note:

In spite of these measures, each user continues to be responsible for the security of his or her computer. This includes the use of an up-to-date virus scanner and cautious handling of programs that access the Internet.

Technical Implementation

The Secomat is not a finished product that is available in this form at the store. It consists of a cluster of Linux servers whose high availability level is achieved with Heartbeat/Pacemaker. The core component of the Secomat is the Linux firewall mechanism Netfilter/Iptables. In addition to rules for the NAT, there are also rules (hash limits) here against DoS (Denial of Service), DDoS (Distributed Denial of Service), worms, and port scans.

Traffic shaping is implemented with the help of the Linux Traffic Controller (http://lartc.org/). These core components are embedded in a number of independently developed bash and perl scripts that are used, for example, for the analysis of firewall logs or that allow graphical evaluations via RRDtool (http://www.rrdtool.org).

Questions & Answers

See FAQs.