Security gain from NAT

Fred Baker fred at cisco.com
Tue Jun 5 03:05:37 UTC 2007


On Jun 4, 2007, at 12:22 PM, Dave Israel wrote:
> Valdis.Kletnieks at vt.edu wrote:
>> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
>>> *No* security gain?  No protection against port scans from  
>>> Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN?  Or to access a single, corporate Web site?
>> Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
>> configured stateful *non*-NAT firewall should be doing for you  
>> already.
>
> What the firewall *should* be doing?  The end devices *should* not  
> need protection in the first place, because they *should* be secure  
> as individual devices.  But they are not.  So you put a firewall in  
> front of them, and that device *should* give them all the  
> protection they need.  But sometimes, it doesn't.  So you make end  
> devices unaddressable by normal means, and while it shouldn't give  
> them more security, it turns out it does.  No matter how much it  
> shouldn't, and how much we wish it didn't, it does.
>
> The difference between theory and practice is that in theory, there  
> is no difference, but in practice, there is.

Actually, I would disagree.

A large percentage of attacks, 80% by some estimates, are from behind  
the firewall. I will argue that the end system needs its own defenses  
anyway for that reason if none other.

That said, the end system is not the only thing one defends. One has  
an investment in bandwidth and in various other services that one  
provides for one's-self; the firewall primarily defends those assets,  
and incidentally gives a first line of defense for your end systems.

Defense in depth is also a very commonly used strategy; by limiting  
the attacks that can happen, in defended places one can focus more  
heavily on attacks that remain possible.

I compare it to the human body's defenses. We have all sorts of  
things that we use to defend against disease etc; cells that attack  
specific things, cells that attack things that differ from what is  
expected, sentinels, and all sorts of other things. We also have at  
least two firewalls. The skin keeps an awful lot of crud out, meaning  
we don't have to bring in the big guns, and between the brain and the  
rest of the body we have a second firewall.

NATs are overrated as firewalls. As defenses, they are breached with  
some regularity. Stateful firewalls are better, if only because they  
are more intelligent. And firewalls as a class are over-rated as a  
defense mechanism. There is a long list of attacks that cross them  
with ease. But as one weapon in the arsenal, they are a simple  
prophylactic that helps in a material way.



More information about the NANOG mailing list