Security gain from NAT (was: Re: Cool IPv6 Stuff)

Daniel Senie dts at
Mon Jun 4 20:53:18 UTC 2007

At 03:20 PM 6/4/2007, Jim Shankland wrote:

>Valdis.Kletnieks at writes:
> > On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > > *No* security gain?  No protection against port scans from Bucharest?
> > > No protection for a machine that is used in practice only on the
> > > local, office LAN?  Or to access a single, corporate Web site?
> >
> > Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
> > configured stateful *non*-NAT firewall should be doing for you already.
>Thanks for the clarification, Owen and Valdis.  We are, of course,
>100% in agreement that it is stateful inspection that provides
>(a measure of) security, and that stateful inspection can be had
>without NAT.
>But NAT *requires* stateful inspection; and the many-to-one, port
>translating NAT in common use all but requires affirmative steps
>to be taken to relay inbound connections to a designated, internal
>host -- the default ends up being to drop them.  All this can be
>done without NAT, but with NAT you get it "for free".

NAPT (terminology from RFC 2663, a product of the IETF NAT Working 
Group) is what you refer to here. This is the most commonly deployed 
type of NAT, but far from the only. Cisco calls this PAT, for those 
who like keeping track of the acronyms. (The NAT WG in the IETF put 
together that RFC specifically because there were so many things 
being called "NAT").

Many stateful inspection firewall implementations do their work and 
optionally do the address translation as part of the same processing. 
Certainly this is very efficient, since the lookups have already been done.

For end user sites with client machines, NAT boxes do indeed provide 
the stateful inspection users really should have, and do so at many 
price points, from the dirt cheap to the feature rich. Some provide 
for multiple upstreams, load balancing or failing over when upstreams 
get congested, providing many of the benefits of multihoming, without 
the overhead. Obviously this is all best used for end users with 
client machines.

>I can't pass over Valdis's statement that a "good properly configured
>stateful firewall should be doing [this] already" without noting
>that on today's Internet, the gap between "should" and "is" is
>often large.

Depends greatly on the vendor. Appliance firewalls will generally 
provide the same default configuration out of the box, whether NAT is 
used or not. That's not to say the default configuration is 
sufficient for operations, but they'll do the basics just as well 
whether NAT is on or off.

More information about the NANOG mailing list