Security gain from NAT

Jason Lewis jlewis at
Tue Jun 5 01:07:38 UTC 2007

I figured SMB would chime in...but his research says it's not so anonymous.


Colm MacCarthaigh wrote:
> On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
>>> *No* security gain?  No protection against port scans from Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN?  Or to access a single, corporate Web site?
>> Correct.  There's nothing you get from NAT in that respect that you do
>> not get from good stateful inspection firewalls.  NONE whatsoever.
> Argueably the instant hit of IP source anononymity you get with NAT is a
> security benefit (from the point of view of the user). Of course these
> days there all sorts of fragment and timing analyses that will allow you
> to determine origin commonality behind NAT, but it's nowhere near as
> convenient as a public IP address.
> A non-NAT stateful firewall can't simulate that, you need high-rotation
> dhcp or similar to get close. Although IPv6 privacy addresses rock :-)
> The argument can go either way, you can spin it as a benefit for the
> network operator ("wow, user activity and problems are now more readily
> identifiable and trackable") or you can see it as an organisational
> privacy issue ("crap, now macrumors can tell that the CEO follows them
> obsessively"). 
> NAT is still evil though, the problems it causes operationally are
> just plain not worth it.

More information about the NANOG mailing list