nanog mailing list archives
Re: Security gain from NAT
From: Matthew Palmer <mpalmer () hezmatt org>
Date: Tue, 5 Jun 2007 06:52:43 +1000
On Mon, Jun 04, 2007 at 08:04:23PM +0100, Leigh Porter wrote:
Jim Shankland wrote:Owen DeLong <owen () delong com> writes:There's no security gain from not having real IPs on machines. Any belief that there is results from a lack of understanding.This is one of those assertions that gets repeated so often people are liable to start believing it's true :-). *No* security gain? No protection against port scans from Bucharest? No protection for a machine that is used in practice only on the local, office LAN? Or to access a single, corporate Web site?Not so. NATing source addresses from multiple source hosts towards the Internet anonymises the source machines so they can not be 'looked at' individually. Additionally, NATing services on separate machines behind a single NATed address anonymises the services behind a single address.
Obscurity is not security. If you really want to anonymise traffic, then you've got a lot more work to do than just have all your machines use one IP address. At any rate, proxies (transparent, if necessary) are a better option than NAT for hiding source IPs, as they understand the protocol they're proxying better than your NAT firewall can (unless you build the proxy into your NAT firewall, in which case all you've done is proxy anyway, and you can throw the NAT away). I can think of one counter-example to this argument, and that's SSL-protected services, where having a proxy, transparent or otherwise, in your data stream just isn't going to work. In that instance, though, the SSL is almost always in place to protect some sort of personal information (CC numbers, passwords, etc) -- in which case you've just identified the other end of the connection *anyway*, so anonymity is a large, smelly red herring.
Also, it is good to control the Internet addressable devices on your network by putting them behind a NAT device. That way you have less devices to concern yourself about that are directly addressable when they most likely need not be. You can argue that you can do the same with a firewall and a default deny policy but it's a hell of a lot easier to sneak packets past a firewall when you have a directly addressable target behind it than when it's all anonymous because it's NATed and the real boxes are on RFC1918.
While "protection from mistakes" is a valid reason, it's a pretty weak one. There's no shortage of other things in your system (security things, even!) that don't have NAT to protect them from typos and screwups.
So really, those who do not think there is a security gain from NATing don't see the big picture.
I would say that those who rely on NAT for security are the ones with the narrow world-view. - Matt -- Imagine an orkplace where you were the only non executive: Make them all CEO. Give them all at least one Masters degree and/or a PhD, and the ego trip that comes with that. Now double it. That's education. -- GB, in the Monastery
Current thread:
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) michael.dillon (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nathan Ward (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Sam Stickland (Jun 06)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Kradorex Xeron (Jun 05)
- Re: Security gain from NAT Leigh Porter (Jun 04)
- Re: Security gain from NAT Donald Stahl (Jun 04)
- Re: Security gain from NAT Dorn Hetzel (Jun 04)
- Re: Security gain from NAT Mattias Ahnberg (Jun 05)
- Re: Security gain from NAT Adrian Chadd (Jun 05)
- Re: Security gain from NAT James R. Cutler (Jun 05)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- Re: Security gain from NAT Matthew Palmer (Jun 04)
- Re: Security gain from NAT Matthew Kaufman (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Tony Hain (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Valdis . Kletnieks (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Dorn Hetzel (Jun 04)
- Security gain from NAT (was: Re: Cool IPv6 Stuff) Jim Shankland (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Daniel Senie (Jun 04)