In the past few years, it has become increasingly common for users to connect to the campus network equipment designed to allow many computers to share a single network connection. These devices, which may include routers, firewalls, and wireless access points, use a technology called Network Address Translation (NAT) to allow many systems to communicate on the network using the same publicly available IP address. While such devices permit many computers to connect to the network cheaply and easily, there are serious security implications for these devices that must be considered before they are connected to the campus network.
When network monitoring and scanning activities generate a security alert for an IP address in use by a NAT device, the registered security contact for that IP address is notified via email. Hosts connected to the campus network through a NAT device are not exempt from campus security policies, including Minimum Security Standards (MSS), and are subject to network blocking procedures. Since all hosts behind the NAT device share the same campus IP address, a block on the IP address will remove every host behind the NAT device from the network.
If you operate a NAT device on the campus network, be aware that:
- The NAT device administrator must identify hosts responsible for security issues and relay the related security notice to the party responsible for that host. If the NAT operator cannot identify the host, or if the host is not secured in a timely fashion, the administrator must block the host or remove the entire NAT device from the network until the host has been secured.
- Failure to comply with this policy will result in the Information Security Office (ISO) blocking the public IP address, disabling network access to the NAT device and all connected hosts.
To mitigate security problems associated with NAT devices:
- Logging facilities for NAT devices must be enabled sufficient to identify specific hosts in response to security incidents. Due to the limited amount of flash memory on such devices, this may require offloading logs to a secondary system, such as a syslog server, especially if many hosts are sharing the NAT device.
- Access to the NAT device must be restricted to known hosts. NAT device administrators must have a mechanism in place to identify unique hosts.
For additional information, please refer to the following policies:
- NAT Policy Compliance Guideline
- Minimum Standards for Security of Berkeley Campus Networked Devices: https://security.berkeley.edu/MinStds/AppA.min.htm
- Guidelines and Procedures for Blocking Network Access: https://security.berkeley.edu/blocking.html
For questions or advice on securing NAT devices, please contact firstname.lastname@example.org.