We hit half-million: The Cidr Report

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Thu May 1 23:10:08 UTC 2014

On 14-05-01 14:34, Owen DeLong wrote:
> Believe me, I cringe every time I hear “our auditors require NAT as a security mechanism” 

Pardon my ignorance here. But in a carrier-grade NAT implementation that
serves say 5000 users, when happens when someone from the outside tries
to connect to port 80 of the shared routable IP ?  you still need to
have explicit port forwarding to specific LAN side hosts (like the web
server) right ?

Trying to be devil's advocate here: (and discussing only incoming calls)

In a NAT setup for a company, wouldn't the concept be that you
explicitely have to open a few ports to specific hosts ? (for instance
80 points to the web server LAN IP address) All the rest of the
gazillion ports are blocked by default since the router doesn't know to
which LAN host they should go.

On the other hand, for a LAN with routable IPs, by default, all ports
are routed to all computers, and security then depends on ACLs or other
mechanisms to implement a firewall.

Auditors probably prefer architecture where everything is blocked by
default and you open specific ports compared to one where everything is
open by default and you then add ACLs to implement security.

(Not judging whether one is better, just trying to figure out why
auditors might prefer NAT).

Also, home routers have "NAT" which is really a combo of NAT with basic
firewall, so if you don't have "NAT", they may equate this to not having
a firewall.

More information about the NANOG mailing list