Is NAT can provide some kind of protection?

Jeff Kell jeff-kell at utc.edu
Wed Jan 12 14:58:56 CST 2011


On 1/12/2011 2:57 PM, Owen DeLong wrote:
>> Try this at home, with/without NAT:
>>
>> 1. Buy a new PC with Windows installed
>> 2. Install all security patches needed since the OS was installed
>>
>> Without NAT, you're unpatched PC will get infected in less than 1 minute.
> Wrong.
> Repeat the experiment with stateful firewall with default inbound deny and no NAT.
> Yep... Same results as NAT.

Now let that laptop (or another one on the home subnet) show up with
Bridging or Internet Connection Sharing enabled with wired/wireless
connections and see what you get.  Still maybe OK if it's the "host"
firewall, and it's turned on, and it's not domain-joined with the local
subnet allowed, etc., but that was post-SP2 and assumes some malware [or
the  user] hasn't turned it off.

NAT+RFC1918 = no accidental leakage/bridging (yes, they could spoof
RFC1918 destinations, assuming they get routed all the way to the
endpoint... but that's a bigger "if" than a public address)

"Perfect stateful firewall with perfect default inbound deny and no
other variables thrown in the mix" and yes, but it's breakable in
contrast to the NAT+RFC1918 case.

There is something to be said for "unreachable" (i.e., "not in your
forwarding table") -- else the VPN / VRF / MPLS / etc folks wouldn't
have a leg to stand on :-)

With that said, this isn't a one-size-fits-all, everybody's perfect
solution.  We've covered the gamut from home CPE to server farms here,
with the original question being about a DMZ case.  They are however
legitimate security layers applied to certain cloves of this particular
bulb of garlic (a more appropriate model than the homogeneous "onion")  :-)

Jeff




More information about the NANOG mailing list