Security gain from NAT

Roger Marquis marquis at
Tue Jun 5 03:39:43 UTC 2007

Matthew Palmer wrote:
> While "protection from mistakes" is a valid reason, it's a pretty
> weak one.

It is indeed a weak reason but, evidently, much stronger as a straw
man argument.  NAT is A security tool, not THE security tool.

> I would say that those who rely on NAT for security are the ones
> with the narrow world-view.

Depends wholly on the security requirements of the client.  Then
again, I can't say I've ever seen a site that relies on NAT
exclusively.  This is another straw man argument.

A core but often neglected factor in IT security is KIS.  NAT,
particularly in the form of PAT, is an order of magnitude simpler to
administer than a stateful firewall with one-to-one address mappings.
Given the degree to which complexity negatively correlates with
security, for non-server addresses at least, NAT has far and away the
better ROI.

Any security auditor will tell you that, in the real world, stateful
one-to-one firewalls are rarely as secure as NAT gateways for the
simple reason that the non-NAT firewalls have more rules.

This debate mirrors one that took place in a large university where I
worked several years ago.  The network admins made passionate
arguments against NAT but did little to firewall vulnerable
departments.  The risk was obvious but so was the underlying
motivation.  They were simply protecting their turf.  In this case
multiple class-B allocations, awarded decades ago, before NAT and PAT
became affordable technologies.  Perhaps they also did a lot of
peer-to-peer filesharing behind those non-NATed subnets.  I don't know
all of the reasons but, having managed thousands of clients behind NAT
and unNATted gateways I'll take NAT any day.

Roger Marquis
Roble Systems Consulting

More information about the NANOG mailing list