Is NAT can provide some kind of protection?

William Herrin bill at
Wed Jan 12 20:13:50 CST 2011

On Wed, Jan 12, 2011 at 12:16 PM,  <Valdis.Kletnieks at> wrote:
> On Wed, 12 Jan 2011 12:04:01 EST, William Herrin said:
>> In a client (rather than server) scenario, the picture is different.
>> Depending on the specific "NAT" technology in use, the firewall may be
>> incapable of selecting a target for unsolicited communications inbound
>> from the public Internet. In fact, it may be theoretically impossible
>> for it to do so. In those scenarios, the presence of NAT in the
>> equation makes a large class of direct attacks on the interior host
>> impractical, requiring the attacker to fall back on other methods like
>> attempting to breach the firewall itself or indirectly polluting the
>> responses to communication initiated by the internal host.
> Note that the presence of a firewall with a 'default deny' rule for inbound
> packets provides the same level of impracticality.

Hi Valdis,

There's actually a large difference between something that's
impossible for a technology to do (even in theory), something that the
technology has been programmed not to do and something that a
technology is by default configured not to do.

The hacker can't make the equipment do something impossible. He can
only go around it, try a different attack vector. To push through
something the technology has been programmed not to do, he needs to
identify a suitable bug: hard but not quite impractical. As for
default configurations... human error is a *major* part of the
security equation. Identifying and exploiting configuration errors is
a hacker's fertile hunting ground.

On Wed, Jan 12, 2011 at 2:35 PM, Owen DeLong <owen at> wrote:
> On Jan 12, 2011, at 9:36 AM, Jack Bates wrote:
>> As my corp IT guy put it to me, PAT forces a routing disconnect
>> between internal and external. There is no way to reach the hosts
>> without the firewall performing it's NAT function. Given that the
>> internal is exclusively PAT, the DMZ is public with stateful/proxy,
>> this provides protection for the internal network while limiting the
>> dmz exposure.
> The corp IT guy is delusional. The solution to the routing disconnect is
> map+encap or tunnels.

Logical fallacy, ad hominem: the sanity of Jack's IT guy is not at issue.

Logical fallacy, straw man: that a security technology failed to close
attack vectors it was not claimed to have closed makes no statement as
to whether the tech blocked the attack vectors it did claim to block.
The only technology which stops all possible network attack vectors is
the off switch.

Logical fallacy, circular reasoning: to bring your magic tunnels into
existence, the firewall must have already been breached. Yet you claim
the tunnels allow you to breach the firewall, allegedly proving that
the PAT routing disconnect is a no-op.

It took you only 17 words to get the trifecta. Congratulations, or something.

On Wed, Jan 12, 2011 at 2:09 PM, Owen DeLong <owen at> wrote:
> No, NAT doesn't provide additional security. The stateful inspection that
> NAT cannot operate without provides the security. Take away the
> address mangling and the stateful inspection still provides the same
> level of security.

When you'd care to offer a refutation of my explanation (above) of
exactly how NAT impacts the security process beyond what the stateful
inspection does, a refutation that doesn't involve a bunch of bald
assertions, hand-waving and logical fallacies, you let me know.
Perhaps the "security expert" you tell me you relied on when
formulating your viewpoint could help you out with that?

On Wed, Jan 12, 2011 at 2:21 PM, Paul Ferguson <fergdawgster at> wrote:
> There is a least one situation where NAT *does* provide a small amount of
> necessary security.
> Try this at home, with/without NAT:
> 1. Buy a new PC with Windows installed
> 2. Install all security patches needed since the OS was installed
> Without NAT, you're unpatched PC will get infected in less than 1 minute.

Hi Paul,

That doesn't really prove your point. Owen is correct that any
reasonably configured firewall of any type would tend to prevent such
infections. The different firewall types don't begin to exhibit a
major difference in security effectiveness until you factor in the
impact of human error in specific scenarios.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list