Is NAT can provide some kind of protection?

Owen DeLong owen at
Wed Jan 12 21:33:32 CST 2011

On Jan 12, 2011, at 7:23 PM, David Barak wrote:

> I hesitate to venture into this thread, but while Owen is correct in the general 
> case ("NAT qua NAT provides no more security than a stateful firewall"), there 
> is a corner case in which security is improved via NAT.  The case is that of an 
> enterprise network which uses 1918 addressing for all internal hosts, and uses 
> proxies or other bastions as middleboxes to relay outbound communication.  
> The security provided is that in the event of an accidental bridging of "inside" 
> and "outside" networks (i.e. engineer plugged a cable between the wrong two 
> switches), the hosts will not be able to initiate communication with Internet 
> hosts.  Additionally, this same resiliency to accidental bridging does mean that 
> the enterprise has a smaller number of possible Internet-facing machines, and 
> thus can spend the time and effort to make them more robust.
> That benefit is not huge (and not relevant to the typical home user, who is not 
> configuring a super-duper scanning proxy server), but it does exist, and it 
> certainly fuels some of the pro-NAT feeling I've encountered among customers.
> David Barak
> Need Geek Rock?  Try The Franchise: 

If you are proxying everything, then, there isn't any actual NAT. There are
inside sessions and outside sessions.

In that case, your security comes from the disconnected addresses and the
proxy that sits in the middle interfacing every outside session with its
related inside session.

No packet is forwarded from inside to outside with only the address and port
fields mangled. Each session is a separate and distinct interior and exterior
session. There is a state machine between the internal client and the proxy
server and a separate state machine between the external server and the
proxy client. Separate sets of sequence numbers, etc.

I am not denying that you may be able to get some additional isolation
by having network numbers that aren't routable on the outside world
if you don't have NAT. I'm saying that if you have NAT, it doesn't add
to your security.


More information about the NANOG mailing list