Security gain from NAT

Donald Stahl don at
Tue Jun 5 04:51:14 UTC 2007

> A core but often neglected factor in IT security is KIS.  NAT,
> particularly in the form of PAT, is an order of magnitude simpler to
> administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not 
even sure what you mean by this. Are you referring to static NAT with SI? 
Are you suggesting that someone would enter a rule for every individual 
host on the network rather than simply have one rule that says the entire 
subnet can get out but nothing can come in?

PAT is not simple- it's the antithesis of KIS. It means added code in your 
apps and firewall. It means it takes longer to troubleshoot problems. It 
means thinking about firewall rules AND the NAT that accompanies them.

A SI firewall ruleset equivalent to PAT is a single rule on a CheckPoint 
firewall (as an example):

Src: Internal - Dst: Any - Action: Allow


> Given the degree to which complexity negatively correlates with
> security,
This is exactly why NAT is bad, not why it's good.

> Any security auditor will tell you that, in the real world, stateful
> one-to-one firewalls are rarely as secure as NAT gateways for the
> simple reason that the non-NAT firewalls have more rules.
As a former security auditor I will tell you that you are wrong.

I've done security audits for years, been certified by the NSA to perform 
IAM audits, worked extensively with a variety of firewalls and intrusion 
detections systems, and I co-moderate a firewall mailing list. I think I 
can safely state that NAT adds complexity to a firewall rule set, it does 
not remove it.

A CheckPoint without NAT has N rules. A CheckPoint with NAT has N rules + 
M NAT rules where M is the number of NAT'd hosts. If you are doing port 
address translation rather than simpler static NAT then M is the number of 
NAT'd services as opposed to the number of NAT'd hosts. Either way it is 
definitely more complex. This is true of CheckPoint, ipfw and a myriad of 
other firewalls. (Sorry for all the CheckPoint examples- I just happened 
to have a client's CheckPoint ruleset open while responding).

> This debate mirrors one that took place in a large university where I
> worked several years ago.  The network admins made passionate
> arguments against NAT but did little to firewall vulnerable
> departments.
So because these network engineers were exceedingly lazy and or sloppy 
then NAT is somehow better?

Even supposing you could always enter PAT rules as simple firewall rules- 
how are 20 PAT statements smaller and or simpler than 20 SI statements?

> The risk was obvious but so was the underlying
> motivation.  They were simply protecting their turf.  In this case
> multiple class-B allocations, awarded decades ago, before NAT and PAT
> became affordable technologies.
How was this "protecting" their class-B? More than likely it was awarded 
before ARIN and there is no RSA agreement that would allow anyone to 
reclaim the addresses.

> I don't know
> all of the reasons but, having managed thousands of clients behind NAT
> and unNATted gateways I'll take NAT any day.
Ever try to set up a VPN between two offices using the same address space?
I'll stick with no NAT any day.


More information about the NANOG mailing list