Security gain from NAT

Tue Jun 5 22:18:50 UTC 2007

Donald Stahl wrote:
> Ever try to set up a VPN between two offices using the same
> address space?

Sure, very easily, by using NAT between the subnets.

> NAT is still evil though, the problems it causes operationally
> are just plain not worth it.

Can you clarify this claim?  What about managing NAT is allegedly
difficult.  Are you unable to easily map public addresses with private
addresses on your own networks?

>Stateful inspection provides security benefits.

Neither SI nor NAT provides any security.  It is the rules commonly
implemented on top of them that can provide security.  Please be
consistent in the use of these terms to avoid confusing the issue.

Jeff McAdams wrote:
> But it is correct. Just mangling the addresses in the headers
> doesn't actually stop anything from getting through, it just
> means it gets through mangled. The security comes from SI and
> dropping packets that don't have an active session established
> from inside, or related.

Crux of the thread for sure.  In an academic context NAT only swaps
header addresses, however, in the world of network operators and
end-users all NAT devices do SI and filtering.  It is the filtering,
blocking connections initiated from public addresses, that provides
"NAT security".  That is still "NAT security" if only because it is
characteristic of virtually all NAT devices, and not the default or
even a common configuration of non-NAT network devices and
applications.

Perhaps it is difficult to understand this vernacular "NAT" after
studying Comer, Stevens et al, but when you've run the equivalent of
'sh conn' regularly for several years the narrow, some would say ivory
tower, definition of NAT tends to morph into one based on actual
implementations.

Since this mailing list is by and for network operators as opposed to
academics perhaps we could ask the later (NANAGs?) to use footnotes(1)
to clarify their meaning?

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/