Is NAT can provide some kind of protection?

Lamar Owen lowen at pari.edu
Thu Jan 13 14:24:33 CST 2011


On Wednesday, March 21, 2007 05:41:00 am Tarig Ahmed wrote:
> Is it true that NAT can provide more security?

Blast from the past....

Whew, is there any subject more guaranteed to cause a long thread than this? :-)

I have some ideas on this; there are some creative manglings one can do with NAT that specifically exist to break protocols used by black hats (and others; but if I know a Teredo tunnel isn't used by a server, I should try to break it in as many ways as I can, right?), but lets the desired bits out. 

Hey, if NAT can make desired protocols break, it can make undesired protocols break, too.  Breakage can be considered a feature, depending upon how demented and devious you are.

NAT is just another packet tool; like various types of firewalling, it requires intelligent application to be useful.  Things like setting up a static PAT for the IRC port on the inside global address to get translated to the IP of an outside IRC server (whose operator has agreed to let you do this, of course!)....or a honeypot IRC server on a different internal network.... can do wonders for the rate of successful entries.

I've found by trial and error that outright blocking an attack is far less effective in stopping an intruder than creatively and partially breaking the attack (tarpits, for instance).  A quick block will be answered by a quick try at another attack; a tarpit makes nothing quick, and unless it's a targeted-at-you attack to own (most aren't) most attackers will go on to other, lower-hanging, fruit.

And I'm sure that I'll continue seeing attacks, and seeing successful workstation exploits, for a long time to come, and neither NAT nor firewalling is much help for certain workstation operating systems in the hands of users who know enough to be dangerous.

But one-to-one port-agnostic NAT for a server does nothing to improve security, and, as some have said, will probably make security worse.




More information about the NANOG mailing list