nanog mailing list archives

Re: Is NAT can provide some kind of protection?

From: Owen DeLong <owen () delong com>
Date: Wed, 12 Jan 2011 19:33:32 -0800


On Jan 12, 2011, at 7:23 PM, David Barak wrote:

I hesitate to venture into this thread, but while Owen is correct in the general 
case ("NAT qua NAT provides no more security than a stateful firewall"), there 
is a corner case in which security is improved via NAT.  The case is that of an 
enterprise network which uses 1918 addressing for all internal hosts, and uses 
proxies or other bastions as middleboxes to relay outbound communication.  

The security provided is that in the event of an accidental bridging of "inside" 
and "outside" networks (i.e. engineer plugged a cable between the wrong two 
switches), the hosts will not be able to initiate communication with Internet 
hosts.  Additionally, this same resiliency to accidental bridging does mean that 
the enterprise has a smaller number of possible Internet-facing machines, and 
thus can spend the time and effort to make them more robust.

That benefit is not huge (and not relevant to the typical home user, who is not 
configuring a super-duper scanning proxy server), but it does exist, and it 
certainly fuels some of the pro-NAT feeling I've encountered among customers.
David Barak
Need Geek Rock?  Try The Franchise: 
http://www.listentothefranchise.com


If you are proxying everything, then, there isn't any actual NAT. There are
inside sessions and outside sessions.

In that case, your security comes from the disconnected addresses and the
proxy that sits in the middle interfacing every outside session with its
related inside session.

No packet is forwarded from inside to outside with only the address and port
fields mangled. Each session is a separate and distinct interior and exterior
session. There is a state machine between the internal client and the proxy
server and a separate state machine between the external server and the
proxy client. Separate sets of sequence numbers, etc.

I am not denying that you may be able to get some additional isolation
by having network numbers that aren't routable on the outside world
if you don't have NAT. I'm saying that if you have NAT, it doesn't add
to your security.

Owen

Current thread:

Re: Is NAT can provide some kind of protection?, (continued)
- - - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
    - Re: Is NAT can provide some kind of protection? Joel Jaeggli (Jan 15)
    - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 15)
    - Re: Is NAT can provide some kind of protection? Marshall Eubanks (Jan 15)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 15)
    - Re: Is NAT can provide some kind of protection? Stephen Davis (Jan 15)
    - Re: Is NAT can provide some kind of protection? Leen Besselink (Jan 16)
    - Re: Is NAT can provide some kind of protection? Douglas Otis (Jan 14)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? David Barak (Jan 12)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? Dobbins, Roland (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Jack Bates (Jan 13)
    - Re: Is NAT can provide some kind of protection? William Herrin (Jan 13)
    - Re: Is NAT can provide some kind of protection? Lamar Owen (Jan 13)
    - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 13)
  - Re: Is NAT can provide some kind of protection? Owen DeLong (Jan 12)
    - Re: Is NAT can provide some kind of protection? Paul Ferguson (Jan 12)

(Thread continues...)