Multiple NAT Routers as Extra Intranet Security

Steve Gibson of Sheilds-Up! fame made some interesting points on his Security Now! Episode 3 podcast with Leo Leport regarding the possible advantages of using 2 or more routers in series within a LAN.

Of course, the primary use of a router is that it allows multiple computers to utilize a single internet connection. A byproduct of this is that the router creates a hardware firewall preventing unsolicited internet traffic from reaching the PCs.

So if one router protects you from malicious traffic on the internet what use is there for a second one? It allows you to create a second inner LAN. Computers can be placed on the regular ‘outer’ LAN or on the super-secure ‘inner’ LAN.

• Machines on the “Semi-Secure” (middle) LAN can access the Internet, but they are protected by the “External NAT” from most Internet badness.
• Machines on the “Super-Secure” internal LAN can also access the Internet, first by going out through the “Internal NAT” and then the “External NAT”. As with machines on the Semi-Secure LAN, the “External NAT” will keep unsolicited traffic from entering the network.
• Because the Semi-Secure LAN is on the OUTSIDE (WAN side) of the Internal NAT, the machines on the Semi-Secure LAN are unable to freely access the machines behind the Internal NAT.
• The machines behind the Internal NAT can access the machines in the middle, but NOT the other way around!

Gibson gives three uses for creating this secure inner LAN

1. Isolate a router’s DMZ network and servers:
   The network can be set up to allow traffic past the first router to a specific machine. The rest of the machines can be protected from not just any ports that were opened on the outer router but also from any nasties that might somehow have infected the machine(s) in the outer LAN.

2. Isolating an open or low-security wireless access point: Anyone who gains access to your wireless access to your network also has access your LAN and therefore has access to the data on other machines on your LAN.

3. Protecting a high value machine from the rest of the network: If others on your network (kids @ home or employees @ work) get a computer virus it can easily spread to other computers on the same network.

In all 3 scenarios creating an inner secure LAN would be a good idea. Remember — Just because you are paranoid does not mean they are not after you.

The podcast mentioned above has a good discussion on this topic as does this article at Gibson’s site, NAT Router Security Solutions.