North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Jim Shankland
  • Date: Mon Jun 04 16:35:25 2007

[email protected] writes:

> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain?  No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN?  Or to access a single, corporate Web site?
> Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.

Thanks for the clarification, Owen and Valdis.  We are, of course,
100% in agreement that it is stateful inspection that provides
(a measure of) security, and that stateful inspection can be had
without NAT.

But NAT *requires* stateful inspection; and the many-to-one, port
translating NAT in common use all but requires affirmative steps
to be taken to relay inbound connections to a designated, internal
host -- the default ends up being to drop them.  All this can be
done without NAT, but with NAT you get it "for free".

I can't pass over Valdis's statement that a "good properly configured
stateful firewall should be doing [this] already" without noting
that on today's Internet, the gap between "should" and "is" is
often large.

If what you meant to say is that NAT provides no security benefits
that can't also be provided by other means, then I completely

Jim Shankland