Security gain from NAT (was: Re: Cool IPv6 Stuff)
Daniel Senie
dts at senie.com
Mon Jun 4 20:53:18 UTC 2007
At 03:20 PM 6/4/2007, Jim Shankland wrote:
>Valdis.Kletnieks at vt.edu writes:
>
> > On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > > *No* security gain? No protection against port scans from Bucharest?
> > > No protection for a machine that is used in practice only on the
> > > local, office LAN? Or to access a single, corporate Web site?
> >
> > Nope. Zip. Zero. Ziltch. Nothing over and above what a good properly
> > configured stateful *non*-NAT firewall should be doing for you already.
>
>Thanks for the clarification, Owen and Valdis. We are, of course,
>100% in agreement that it is stateful inspection that provides
>(a measure of) security, and that stateful inspection can be had
>without NAT.
>
>But NAT *requires* stateful inspection; and the many-to-one, port
>translating NAT in common use all but requires affirmative steps
>to be taken to relay inbound connections to a designated, internal
>host -- the default ends up being to drop them. All this can be
>done without NAT, but with NAT you get it "for free".
NAPT (terminology from RFC 2663, a product of the IETF NAT Working
Group) is what you refer to here. This is the most commonly deployed
type of NAT, but far from the only. Cisco calls this PAT, for those
who like keeping track of the acronyms. (The NAT WG in the IETF put
together that RFC specifically because there were so many things
being called "NAT").
Many stateful inspection firewall implementations do their work and
optionally do the address translation as part of the same processing.
Certainly this is very efficient, since the lookups have already been done.
For end user sites with client machines, NAT boxes do indeed provide
the stateful inspection users really should have, and do so at many
price points, from the dirt cheap to the feature rich. Some provide
for multiple upstreams, load balancing or failing over when upstreams
get congested, providing many of the benefits of multihoming, without
the overhead. Obviously this is all best used for end users with
client machines.
>I can't pass over Valdis's statement that a "good properly configured
>stateful firewall should be doing [this] already" without noting
>that on today's Internet, the gap between "should" and "is" is
>often large.
Depends greatly on the vendor. Appliance firewalls will generally
provide the same default configuration out of the box, whether NAT is
used or not. That's not to say the default configuration is
sufficient for operations, but they'll do the basics just as well
whether NAT is on or off.
More information about the NANOG
mailing list