Eugenio Marongiu - Fotolia

Manage Learn to apply best practices and optimize your operations.

Are enterprise devices vulnerable to NAT-PMP security threats?

Network Address Translation - Port Mapping Protocol implementations may cause vulnerabilities on networking devices. Expert Kevin Beaver offers pointers for testing and mitigating such risks.

What is the issue with Network Address Translation - Port Mapping Protocol (NAT-PMP) implementations that are causing device vulnerabilities? How can we test to see if devices on our network are vulnerable and, if we find some, how can they be fixed?

The vulnerabilities in these Internet-connected devices, primarily SOHO-class routers and networking products, are no doubt a serious concern for small and large businesses alike; small businesses because such systems are typically implemented without an inkling of thought put into the security ramifications, and large businesses because of the mobile workforce that is no doubt utilizing such devices, which, in turn, can introduce risks into the enterprise network environment.

The NAT-PMP security vulnerability is one that organizations small and large need to be testing for where possible and including in their security standards and policies. That said, it's one thing to create standards and policies; however for larger organizations, it can be next to impossible to "test" the security of each device that employees may be using from home and other remote facilities.

It would be wise to step back and look at these NAT-PMP security vulnerabilities and their potential to create business risk, and determine what the best approach might be for your organization. It could be as simple as educating users or as complex as setting up a vulnerability testing system whereby your users go to a website you have configured to work in conjunction with a tool such as Rapid7's Nexpose or GFI Software's LanGuard to test to see if their devices are vulnerable.

If anything, this underscores the need for a layered network security and defense, including inspection of remote network traffic, strong authentication including NAC-type capabilities, as well as data loss prevention and related endpoint security controls.

Ask the Expert:
Perplexed about network security? Send Kevin Beaver your questions today. (All questions are anonymous.)

Next Steps

What is NAT? Do you know if it's happening on your network? Learn more here

This was last published in May 2015

Dig Deeper on IPv6 security and network protocols security