Is NAT can provide some kind of protection?

Scott Helms khelms at
Wed Jan 12 14:13:43 CST 2011

Few home users have a stateful firewall configured and AFAIK none of the 
consumer models come with a good default set of rules much less a drop 
all unknown.  For end users NAT is and will likely to continue to be the 
most significant and effective front line security they have.  Home 
router manufacturers have very limited budgets for training or support 
for home end users so the approach is likely to remain the least 
expensive thing that produces the fewest inbound support calls.  If the 
question is whether NAT was designed to be a security level then I agree 
your stance and I'd also agree that correctly configured firewalls do a 
better job at security.  Where I disagree is your position that there is 
no extra security inherent in the default NAT behavior.  Until someone 
makes an effort to create either a DMZ entry or starts doing port 
forwarding all (AFAIK) of the common routers will drop packets that they 
don't know where to forward them.

Is this a tenuous and accidental security level based on current 
defaults in cheap gear?  Of course, but given how normal users behave 
until routers can automagically configure firewall settings in a safe 
(i.e. not UPNP) manner I don't see things changing.

On 1/12/2011 2:57 PM, Owen DeLong wrote:
> On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
>> Hash: SHA1
>> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong<owen at>  wrote:
>>> No, NAT doesn't provide additional security. The stateful inspection that
>>> NAT cannot operate without provides the security. Take away the
>>> address mangling and the stateful inspection still provides the same
>>> level of security.
>> There is a least one situation where NAT *does* provide a small amount of
>> necessary security.
>> Try this at home, with/without NAT:
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Wrong.
> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
> Yep... Same results as NAT.
> NAT != security. Stateful inspection = some security.
> Next!!
> Owen

Scott Helms
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
(678) 507-5000
Looking for hand-selected news, views and
tips for independent broadband providers?

Follow us on Twitter!

More information about the NANOG mailing list