Security gain from NAT

Mon Jun 4 19:04:23 UTC 2007

Jim Shankland wrote:
> Owen DeLong <owen at delong.com> writes:
>   
>> There's no security gain from not having real IPs on machines.
>> Any belief that there is results from a lack of understanding.
>>     
>
> This is one of those assertions that gets repeated so often people
> are liable to start believing it's true :-).
>
> *No* security gain?  No protection against port scans from Bucharest?
> No protection for a machine that is used in practice only on the
> local, office LAN?  Or to access a single, corporate Web site?
>
> Shall I do the experiment again where I set up a Linux box
> at an RFC1918 address, behind a NAT device, publish the root
> password of the Linux box and its RFC1918 address, and invite
> all comers to prove me wrong by showing evidence that they've
> successfully logged into the Linux box?  When I last did this,
> I got a handful of emails, some quite snide, suggesting I was
> some combination of ignorant, stupid, and reckless; the Linux
> box for some reason remained unmolested.
>
> Jim Shankland
>   

Not so. NATing source addresses from multiple source hosts towards the 
Internet anonymises the source machines so they can not be 'looked at' 
individually.

Additionally, NATing services on separate machines behind a single NATed 
address anonymises the services behind a single address.

Also, it is good to control the Internet addressable devices on your 
network by putting them behind a NAT device. That way you have less 
devices to concern yourself about that are directly addressable when 
they most likely need not be. You can argue that you can do the same 
with a firewall and a default deny policy but it's a hell of a lot 
easier to sneak packets past a firewall when you have a directly 
addressable target behind it than when it's all anonymous because it's 
NATed and the real boxes are on RFC1918.

So really, those who do not think there is a security gain from NATing 
don't see the big picture.

--
Leigh Porter