Is NAT can provide some kind of protection?

George Bonser gbonser at
Fri Jan 14 19:01:09 CST 2011

> From: William Herrin 
> Sent: Friday, January 14, 2011 4:11 PM
> To: nanog at
> Subject: Re: Is NAT can provide some kind of protection?
> On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong <owen at> wrote:
> > Ah, but, the point here is that NAT actually serves as an enabling
> > technology for part of the attack he is describing.
> I watch the movies too and I hang in suspense as the protagonist waits
> for the bad guy to make a network connection and then activates the
> phlebotinum that backhacks his tubes. And I know there are some
> real-life examples where giving a hacker a large file to download has
> kept him connected to a modem long enough to get a phone trace. But I
> haven't read of a _nonfiction_ example where the dynamic opening in a
> stateful firewall (NAT or otherwise) has directly provided the needed
> opening for an _active_ attack by a third party. Can you cite one?

The extent to which NAT is a security hazard in my experience is that it
simply makes it harder to find a compromised machine.  Someone might
inform us that they are seeing suspicious traffic that matches a virus
profile from an IP address but the NAT makes it difficult to determine
the actual source of the traffic.  In that case NAT isn't, in and of
itself, the enabling mechanism, but it does offer the compromised host
some additional time to do its malicious work while it is being tracked
down and eliminated.

It also adds more work for providers when someone wants to know who was
responsible for certain traffic at certain times.  This is particularly
true of NAT devices that get their "outside" IP by DHCP.  Now they have
to search their records and sort out who had that IP at that time and
then associate that with a specific customer.  Then at the customer
location, there might be several more devices (or a neighbor connected
over an unsecured wireless) and at that point there is no telling where
the traffic came from.

So NAT itself isn't a security threat, but it sure gives a real security
threat a lot of woodwork in which to hide.


More information about the NANOG mailing list