Is NAT can provide some kind of protection?
khelms at ispalliance.net
Wed Jan 12 14:13:43 CST 2011
Few home users have a stateful firewall configured and AFAIK none of the
consumer models come with a good default set of rules much less a drop
all unknown. For end users NAT is and will likely to continue to be the
most significant and effective front line security they have. Home
router manufacturers have very limited budgets for training or support
for home end users so the approach is likely to remain the least
expensive thing that produces the fewest inbound support calls. If the
question is whether NAT was designed to be a security level then I agree
your stance and I'd also agree that correctly configured firewalls do a
better job at security. Where I disagree is your position that there is
no extra security inherent in the default NAT behavior. Until someone
makes an effort to create either a DMZ entry or starts doing port
forwarding all (AFAIK) of the common routers will drop packets that they
don't know where to forward them.
Is this a tenuous and accidental security level based on current
defaults in cheap gear? Of course, but given how normal users behave
until routers can automagically configure firewall settings in a safe
(i.e. not UPNP) manner I don't see things changing.
On 1/12/2011 2:57 PM, Owen DeLong wrote:
> On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong<owen at delong.com> wrote:
>>> No, NAT doesn't provide additional security. The stateful inspection that
>>> NAT cannot operate without provides the security. Take away the
>>> address mangling and the stateful inspection still provides the same
>>> level of security.
>> There is a least one situation where NAT *does* provide a small amount of
>> necessary security.
>> Try this at home, with/without NAT:
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
> Yep... Same results as NAT.
> NAT != security. Stateful inspection = some security.
Vice President of Technology
ISP Alliance, Inc. DBA ZCorum
Looking for hand-selected news, views and
tips for independent broadband providers?
Follow us on Twitter! http://twitter.com/ZCorum
More information about the NANOG