North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT

  • From: Jeff McAdams
  • Date: Tue Jun 05 08:16:00 2007

David Schwartz wrote:
>> Just because it's behind NAT, does not mean it's unreahcable from the
> internet:

> Okay, so exactly how many times do you think we have to say in this thread
> that by "NAT/PAT", we mean NAT/PAT as typically implemented in the very
> cheapest routers in their default configuration?

And my $50 Linksys has a "DMZ host" configuration item, as well as
configurable port range forwarding entries.

1: "Gee, I want to run this p2p app, and it doesn't work."
2: "Go to and enter into the DMZ Host"
1: "Great, it works now!"

>> I can do the same without NAT/PAT.  Period.  The benefits are from
>> "disallow new inbound by default", *not* address muxing.

> That you can do something without NAT/PAT tells you nothing about what
> NAT/PAT does. Why state an uncontested unrelated point nobody disagrees with
> when there is an actual live disagreement about what security NAT/PAT does
> or doesn't provide? (Hint: NAT/PAT, as discussed here, includes "disallow
> new inbound by default").

Because it was stated the NAT/PAT provides security, and it doesn't.
The DMZ host above is still NAT'ed (and the configurable port forwarding
ranges are still PAT'ed), but the security "provided by NAT" just went
out the window.

>> Which means that -- tada! -- NAT/PAT isn't giving you anything that the
>> stateful inspection firewall isn't.

> That's wonderful, but that's not even remotely respondive to what I'm
> saying. I'm responding to Owen's claim that NAT/PAT doesn't provide any
> security, not that it doesn't provide you any security that a stateful
> inspection firewall doesn't or can't.

But it is correct.  Just mangling the addresses in the headers doesn't
actually stop anything from getting through, it just means it gets
through mangled.  The security comes from SI and dropping packets that
don't have an active session established from inside, or related.

>> In order to make (dynamic) NAT work you need to implement SI- that's what
>> protects you. What does NAT get you above and beyond the SI you have
>> already imeplmented?

> What does a car get you above and beyond the engine, transmission, starter,
> and so on? It gets you all those things in one convenient package that you
> just buy, start, and drive. NAT provides all the advantages its component
> parts provide. Really.

And in IPv6-land, it will be trivial to build consumer level IPv6
firewalls that has a default of dropping everything inbound, which is
what the SI of a dynamic NAT gives you.  Exactly the same level of
security and a whole lot less breakage.
Jeff McAdams
"They that can give up essential liberty to obtain a
little temporary safety deserve neither liberty nor safety."
                                       -- Benjamin Franklin

Attachment: signature.asc
Description: OpenPGP digital signature