Idea searched to block NAT-Router

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Idea searched to block NAT-Router

L2 Linker

Hi,

 

I have some clients who are installing a NAT-Router behind the Firewall to span their own WIFI. The NAT devices are from different vendors with different MACs.

 

Has anyone an idea how to detect these NAT-devices irrespective of their MAC / IP-adress and how to deny all the traffic from these devices?

 

My intent is to block all traffic, where IP pakets have a different ttl than 128 / 64 but how can I solve this with palo alto.

 

Regards

 

Robert

7 REPLIES 7

L4 Transporter

Hello

 

Maybe this is solution for You (TTL=1) http://gregsowell.com/?p=2139

I know that You want to do on PANOS ... but IMHO it's impossible - correct me if I'm wrong.

 

Regards

SLawek

L6 Presenter

So someone is on your network and your network has a Palo Alto firewall at the border?

 

You have users that have deployed a router with NAT enabled and they have their own separate WiFi network?

 

 

Why not just block their NAT IP in your firewall?  Or shut down the port on your network that their router is connected to?  Or talk to them and tell them what they're doing violates your company's security policy?

 

Are they squatting on legiitimate IP space on your network or are they using some RFC 1918 space you don't use?

So someone is on your network and your network has a Palo Alto firewall at the border?

 

You have users that have deployed a router with NAT enabled and they have their own separate WiFi network?



Both yes



Why not just block their NAT IP in your firewall?


I don't know the NAT IP. It's dynamical. They bring their own huawei / draytek.....Router and connect them to an oben Network Port. Assigning a dhcp address. Then it works.


Or shut down the port on your network that their router is connected to?

I don't know the port. IT's dynamical....


Or talk to them and tell them what they're doing violates your company's security policy?

 I did it always. But our CEO wants a technical solution.

 

If you can find the MAC address of the NAT router then you can put it in the deny list of your DHCP server and prevent it from getting an IP address. If your switches have a blacklist function you can add the MAC address to that also.

 

@robert.hoffmann If you have their NATed IP in your firewall find the MAC.  Then you can trace your network and find the port they're connected to on your network and shut down the port.

 

The IP might be dynamic, but I doubt they're changing network ports at the same time.  If they did then someone's definitely screwing with you.

@Brandon_Wertz pretty much gave you everything that you need to do, but I would add that your trying to fix a people problem with tech. If someone is doing this HR should really get involved or you should enable port security and limit the port on your switches to only allow 1 MAC address per port, possibly two if you are running a VOIP enviroment with passthrough. 

L7 Applicator

Sounds like your CEO would be interested in implementing 802.1x port security solution.  Check with your switch vendor that they can support 802.1x.  If so, this is your best method to make sure only authorized devices connect to your physical ports.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3933 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!