Security gain from NAT (was: Re: Cool IPv6 Stuff)

David Schwartz davids at webmaster.com
Tue Jun 5 17:26:20 UTC 2007


> Again, whether the lock/deadbolt come as a package deal with the screen
> door or not, it is the lock/deadbolt that provide the security, not
> the screen
> door.

Wow, I don't know what to say. I've never heard of a screen door that came
with, and could not work without, a lock and deadbolt. It's totally obvious
that you had no intention of implying that typical NAT implementations
didn't provide any security.

And, by the way, in all of my real examples, it was the actual NAT that
provided the security. The Windows machines are behind a device that has but
one rule configured in it, and it's a NAT rule. The NAT rule is the only
thing that causes the machine to do any stateful inspection at all. That is,
one single element provides the NAT and the SI, SI is the means by which the
NAT is implemented, and SI is the only way to provide NAT.

The device is *NOT* configured to reject inbound by default. Other machines
on other parts of my private network *can* reach it through its NAT on its
private addresses. Our wireless network, for example, has its own NAT to
reach the Internet and its own block of private addresses, but can reach the
wired Windows boxes on their private addresses.

Yet you *STILL* can't log into my Linux box even with the root password. You
still can't access my Windows network shares even with the administrator
password. If it was on a public IP address, all other things being the same,
it would take you ten seconds to get into it.

These machines have never been compromised. All other things being precisely
the same, without the private addresses, they would never have lasted.

It is simply a fact that private addresses and NAT itself do provide some
security. You can get this same security without the private addresses and
without the NAT, but that changes nothing.

This is the claim you are defending: "There's no security gain from not
having real IPs on machines. Any belief that there is results from a lack of
understanding." So why can't you break into these machines when the only
thing stopping you is that they don't have real IPs. There is no other
security of any kind in place. There is no "reject inbound by default", no
firewall rules (except NAT itself). The only stateful inspection is used to
make NAT work and is the *implementation* of NAT itself.

All I have is the very thing you claim provides "no security gain". And it's
what's stopping you.

DS





More information about the NANOG mailing list