North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT

  • From: Donald Stahl
  • Date: Tue Jun 05 01:12:14 2007


A core but often neglected factor in IT security is KIS.  NAT,
particularly in the form of PAT, is an order of magnitude simpler to
administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not even sure what you mean by this. Are you referring to static NAT with SI? Are you suggesting that someone would enter a rule for every individual host on the network rather than simply have one rule that says the entire subnet can get out but nothing can come in?

PAT is not simple- it's the antithesis of KIS. It means added code in your apps and firewall. It means it takes longer to troubleshoot problems. It means thinking about firewall rules AND the NAT that accompanies them.

A SI firewall ruleset equivalent to PAT is a single rule on a CheckPoint firewall (as an example):

Src: Internal - Dst: Any - Action: Allow

Done.

Given the degree to which complexity negatively correlates with
security,
This is exactly why NAT is bad, not why it's good.

Any security auditor will tell you that, in the real world, stateful
one-to-one firewalls are rarely as secure as NAT gateways for the
simple reason that the non-NAT firewalls have more rules.
As a former security auditor I will tell you that you are wrong.

I've done security audits for years, been certified by the NSA to perform IAM audits, worked extensively with a variety of firewalls and intrusion detections systems, and I co-moderate a firewall mailing list. I think I can safely state that NAT adds complexity to a firewall rule set, it does not remove it.

A CheckPoint without NAT has N rules. A CheckPoint with NAT has N rules + M NAT rules where M is the number of NAT'd hosts. If you are doing port address translation rather than simpler static NAT then M is the number of NAT'd services as opposed to the number of NAT'd hosts. Either way it is definitely more complex. This is true of CheckPoint, ipfw and a myriad of other firewalls. (Sorry for all the CheckPoint examples- I just happened to have a client's CheckPoint ruleset open while responding).

This debate mirrors one that took place in a large university where I
worked several years ago.  The network admins made passionate
arguments against NAT but did little to firewall vulnerable
departments.
So because these network engineers were exceedingly lazy and or sloppy then NAT is somehow better?

Even supposing you could always enter PAT rules as simple firewall rules- how are 20 PAT statements smaller and or simpler than 20 SI statements?

The risk was obvious but so was the underlying
motivation.  They were simply protecting their turf.  In this case
multiple class-B allocations, awarded decades ago, before NAT and PAT
became affordable technologies.
How was this "protecting" their class-B? More than likely it was awarded before ARIN and there is no RSA agreement that would allow anyone to reclaim the addresses.

I don't know
all of the reasons but, having managed thousands of clients behind NAT
and unNATted gateways I'll take NAT any day.
Ever try to set up a VPN between two offices using the same address space?
I'll stick with no NAT any day.

-Don