Is NAT can provide some kind of protection?

Owen DeLong owen at delong.com
Wed Jan 12 14:50:28 CST 2011


On Jan 12, 2011, at 12:13 PM, Scott Helms wrote:

> Few home users have a stateful firewall configured and AFAIK none of the consumer models come with a good default set of rules much less a drop all unknown.  For end users NAT is and will likely to continue to be the most significant and effective front line security they have.  Home router

That's simply not true. Every end user running NAT is running a stateful firewall with a default inbound deny. 

It then takes the extra step of mangling the packet header. This header mangling step is unnecessary in IPv6 and is not part of the
security mechanism.

Unfortunately, because these two features have been bundled for so long in IPv4, many people, apparently yourself included, don't
see that what most people call a "NAT" box is actually a stateful-inspection+NAT box doing both steps.

> manufacturers have very limited budgets for training or support for home end users so the approach is likely to remain the least expensive thing that produces the fewest inbound support calls.  If the question is whether NAT was designed to be a security level then I agree your stance and I'd also agree that correctly configured firewalls do a better job at security.  Where I disagree is your position that there is no extra security inherent in the default NAT behavior.  Until someone makes an effort to create either a DMZ entry or starts doing port forwarding all (AFAIK) of the common routers will drop packets that they don't know where to forward them.
> 
And there's no reason they can't function exactly that way in IPv6 without mangling the packet header.

> Is this a tenuous and accidental security level based on current defaults in cheap gear?  Of course, but given how normal users behave until routers can automagically configure firewall settings in a safe (i.e. not UPNP) manner I don't see things changing.
> 
Actually, even if it's deliberate, the point here is that it's a three-step process:
	1.	State table update/match
	2.	Mangle packet header
	3.	Forward packet

In IPv6, we can discard step 2 without changing the security provided by step 1 and improve the functionality of step 3.

Owen

> On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> On Jan 12, 2011, at 11:21 AM, Paul Ferguson wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> On Wed, Jan 12, 2011 at 11:09 AM, Owen DeLong<owen at delong.com>  wrote:
>>> 
>>>> No, NAT doesn't provide additional security. The stateful inspection that
>>>> NAT cannot operate without provides the security. Take away the
>>>> address mangling and the stateful inspection still provides the same
>>>> level of security.
>>>> 
>>> There is a least one situation where NAT *does* provide a small amount of
>>> necessary security.
>>> 
>>> Try this at home, with/without NAT:
>>> 
>>> 1. Buy a new PC with Windows installed
>>> 2. Install all security patches needed since the OS was installed
>>> 
>>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
>>> 
>> Wrong.
>> 
>> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
>> 
>> Yep... Same results as NAT.
>> 
>> NAT != security. Stateful inspection = some security.
>> 
>> Next!!
>> 
>> Owen
>> 
>> 
>> 
> 
> 
> -- 
> Scott Helms
> Vice President of Technology
> ISP Alliance, Inc. DBA ZCorum
> (678) 507-5000
> --------------------------------
> Looking for hand-selected news, views and
> tips for independent broadband providers?
> 
> Follow us on Twitter! http://twitter.com/ZCorum
> --------------------------------
> 





More information about the NANOG mailing list