Is NAT can provide some kind of protection?

George Bonser gbonser at seven.com
Wed Jan 12 10:17:26 CST 2011


> 
> Is it true that NAT can provide more security?
> 
> Thanks,
> 
> Tarig Yassin Ahmed
> 

You are going to get different answers from different people.  In and of
itself it doesn't provide security but it does place one more layer of
difficulty in getting at your internal machines.  On the other hand, NAT
makes many things a lot more difficult than they need to be in many
cases and outright breaks some protocols (SCTP, for example).

On one hand, yes, it can make direct addressing of your servers more
difficult but doesn't guarantee anything.  RFC1918 routes should not be
routed over the internet but sometimes people "leak" them and sometimes
people accept such leaked routes.  So there is the possibility that
someone could "see" a route to your RFC1918 space.  But on the other
hand, even if you did "leak" the route, the odds of someone being able
to reliably connect to your network is pretty low because if they are
accepting such leaked routes from you, they might be accepting them from
others, too.  And your upstream's peers are probably filtering 1918
space and most likely route traffic destined to rfc1918 space they
aren't using to a black hole.

But your security person needs to shift their thinking because the
purpose of NAT and private addressing is to conserve IP address, not to
provide security.  With IPv6, the concept of NAT goes away.  You servers
will need public IP addresses if they are going to transact information
across the Internet.  So the "security" concerns of public IP space are
moot when it comes to IPv6.






More information about the NANOG mailing list