North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: David Schwartz
  • Date: Mon Jun 04 20:02:43 2007

> I posit that a screen door does not provide any security. A lock and
> deadbolt provide some security.  NAT/PAT is a screen door.
> Not having public addresses is a screen door.  A stateful inspection
> firewall is a lock and deadbolt.

This is a fine piece of rhetoric, but it's manifestly false and seriously

I have a cluster of Windows machines at my store with no networking security
at all. They're behind NAT/PAT and nothing else. None of them have ever been
broken into. For a screen door, that's a mighty impressive screen door.

I can give you the root password to a Linux machine running telnetd and
sshd. If it's behind NAT/PAT, you will not get into it. Period.

I can give you the administrator password to a Windows machine with file
sharing wide open. If it's behind NAT/PAT, you will not get into it. Period.

The only ways into these machines would be if the NAT/PAT device were
misconfigured, another machine on the secure network were compromised, or
another gateway into the secure network was set up. Guess what? All of these
things would defeat a stateful inspection firewall as well.

Are there things most stateful inspection firewalls can do that NAT/PAT does
not do? Definitely. Are those things valuable and in some cases vital?
Definitely. So why lie and distory what NAT/PAT actually does do? A large
class of security vulnerabilities require the attacker to reach out to the
machine first, and NAT/PAT stops those attacks completely.

Is that enough if there are other attacks that it does nothing to stop?
Clearly not. Does that change the fact that it actually does completely
prevent a large class of serious attacks? No, it does not.

Is a car alarm useless because some professtional theives can disable it? Is
a lock useless because some thieves can pick it? Many exploits only go after
low-hanging fruit, and NAT/PAT stops them.