Security gain from NAT
don at calis.blacksun.org
Tue Jun 5 04:51:14 UTC 2007
> A core but often neglected factor in IT security is KIS. NAT,
> particularly in the form of PAT, is an order of magnitude simpler to
> administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not
even sure what you mean by this. Are you referring to static NAT with SI?
Are you suggesting that someone would enter a rule for every individual
host on the network rather than simply have one rule that says the entire
subnet can get out but nothing can come in?
PAT is not simple- it's the antithesis of KIS. It means added code in your
apps and firewall. It means it takes longer to troubleshoot problems. It
means thinking about firewall rules AND the NAT that accompanies them.
A SI firewall ruleset equivalent to PAT is a single rule on a CheckPoint
firewall (as an example):
Src: Internal - Dst: Any - Action: Allow
> Given the degree to which complexity negatively correlates with
This is exactly why NAT is bad, not why it's good.
> Any security auditor will tell you that, in the real world, stateful
> one-to-one firewalls are rarely as secure as NAT gateways for the
> simple reason that the non-NAT firewalls have more rules.
As a former security auditor I will tell you that you are wrong.
I've done security audits for years, been certified by the NSA to perform
IAM audits, worked extensively with a variety of firewalls and intrusion
detections systems, and I co-moderate a firewall mailing list. I think I
can safely state that NAT adds complexity to a firewall rule set, it does
not remove it.
A CheckPoint without NAT has N rules. A CheckPoint with NAT has N rules +
M NAT rules where M is the number of NAT'd hosts. If you are doing port
address translation rather than simpler static NAT then M is the number of
NAT'd services as opposed to the number of NAT'd hosts. Either way it is
definitely more complex. This is true of CheckPoint, ipfw and a myriad of
other firewalls. (Sorry for all the CheckPoint examples- I just happened
to have a client's CheckPoint ruleset open while responding).
> This debate mirrors one that took place in a large university where I
> worked several years ago. The network admins made passionate
> arguments against NAT but did little to firewall vulnerable
So because these network engineers were exceedingly lazy and or sloppy
then NAT is somehow better?
Even supposing you could always enter PAT rules as simple firewall rules-
how are 20 PAT statements smaller and or simpler than 20 SI statements?
> The risk was obvious but so was the underlying
> motivation. They were simply protecting their turf. In this case
> multiple class-B allocations, awarded decades ago, before NAT and PAT
> became affordable technologies.
How was this "protecting" their class-B? More than likely it was awarded
before ARIN and there is no RSA agreement that would allow anyone to
reclaim the addresses.
> I don't know
> all of the reasons but, having managed thousands of clients behind NAT
> and unNATted gateways I'll take NAT any day.
Ever try to set up a VPN between two offices using the same address space?
I'll stick with no NAT any day.
More information about the NANOG