Security gain from NAT (was: Re: Cool IPv6 Stuff)

Kradorex Xeron admin at digibase.ca
Wed Jun 6 03:52:11 UTC 2007


On Monday 04 June 2007 18:06, Owen DeLong wrote:
> On Jun 4, 2007, at 1:41 PM, David Schwartz wrote:
> >> On Jun 4, 2007, at 11:32 AM, Jim Shankland wrote:
> >>> Owen DeLong <owen at delong.com> writes:
> >>>> There's no security gain from not having real IPs on machines.
> >>>> Any belief that there is results from a lack of understanding.
> >>>
> >>> This is one of those assertions that gets repeated so often people
> >>> are liable to start believing it's true :-).
> >>
> >> Maybe because it _IS_ true.
> >>
> >>> *No* security gain?  No protection against port scans from
> >>> Bucharest?
> >>> No protection for a machine that is used in practice only on the
> >>> local, office LAN?  Or to access a single, corporate Web site?
> >>
> >> Correct.  There's nothing you get from NAT in that respect that
> >> you do
> >> not get from good stateful inspection firewalls.  NONE whatsoever.
> >
> > Sorry, Owen, but your argument is ridiculous. The original
> > statement was
> > "[t]here's no security gain from not having real IPs on machines". If
> > someone said, "there's no security gain from locking your doors",
> > would you
> > refute it by arguing that there's no security gain from locking
> > your doors
> > that you don't get from posting armed guards round the clock?
>
> Except that's not the argument.  The argument would map better to:
>
> There's no security gain from having a screen door in front of your
> door with a lock and dead-bolt on it that you don't get from a door
> with a lock and dead-bolt on it.
>
> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security.  NAT/PAT is a screen door.
> Not having public addresses is a screen door.  A stateful inspection
> firewall is a lock and deadbolt.
>
> Owen

To add to that:

Need I remind those of us who see NAT as some sort of firewall?:
NAT is Network Address Translation, and is designed to be for only providing a 
source of private IP addressing.. it wasn't designed to be a "protection" - 
it's just a side effect that it does offers any protection at all.

People may get lucky because their NAT may check from which interface traffic 
comes in on (which is a form of inspection, thus indicates a presense of a 
firewall). But without any sort of packet inspection, someone could trick 
your NAT into thinking a connection was open when it was not, thus opening a 
connection to a system on your NAT (that is probably unfirewalled in itself). 
Or another example: a third party finds out a system on your NAT has a 
connection open to a host on the internet, so the third party wedges their 
own foriged packets into the connection, and a NAT without inspection will 
just foreward it to the internal host without batting an eye.



More information about the NANOG mailing list