North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)

  • From: Daniel Senie
  • Date: Mon Jun 04 18:22:18 2007

At 03:20 PM 6/4/2007, Jim Shankland wrote:

[email protected] writes:

> On Mon, 04 Jun 2007 11:32:39 PDT, Jim Shankland said:
> > *No* security gain?  No protection against port scans from Bucharest?
> > No protection for a machine that is used in practice only on the
> > local, office LAN?  Or to access a single, corporate Web site?
> Nope. Zip. Zero. Ziltch.  Nothing over and above what a good properly
> configured stateful *non*-NAT firewall should be doing for you already.

Thanks for the clarification, Owen and Valdis.  We are, of course,
100% in agreement that it is stateful inspection that provides
(a measure of) security, and that stateful inspection can be had
without NAT.

But NAT *requires* stateful inspection; and the many-to-one, port
translating NAT in common use all but requires affirmative steps
to be taken to relay inbound connections to a designated, internal
host -- the default ends up being to drop them.  All this can be
done without NAT, but with NAT you get it "for free".

NAPT (terminology from RFC 2663, a product of the IETF NAT Working Group) is what you refer to here. This is the most commonly deployed type of NAT, but far from the only. Cisco calls this PAT, for those who like keeping track of the acronyms. (The NAT WG in the IETF put together that RFC specifically because there were so many things being called "NAT").

Many stateful inspection firewall implementations do their work and optionally do the address translation as part of the same processing. Certainly this is very efficient, since the lookups have already been done.

For end user sites with client machines, NAT boxes do indeed provide the stateful inspection users really should have, and do so at many price points, from the dirt cheap to the feature rich. Some provide for multiple upstreams, load balancing or failing over when upstreams get congested, providing many of the benefits of multihoming, without the overhead. Obviously this is all best used for end users with client machines.

I can't pass over Valdis's statement that a "good properly configured
stateful firewall should be doing [this] already" without noting
that on today's Internet, the gap between "should" and "is" is
often large.

Depends greatly on the vendor. Appliance firewalls will generally provide the same default configuration out of the box, whether NAT is used or not. That's not to say the default configuration is sufficient for operations, but they'll do the basics just as well whether NAT is on or off.