nanog mailing list archives

Re: Security gain from NAT

From: Leigh Porter <leigh.porter () ukbroadband com>
Date: Mon, 04 Jun 2007 20:04:23 +0100





Jim Shankland wrote:

Owen DeLong <owen () delong com> writes:

There's no security gain from not having real IPs on machines.
Any belief that there is results from a lack of understanding.


This is one of those assertions that gets repeated so often people
are liable to start believing it's true :-).

*No* security gain?  No protection against port scans from Bucharest?
No protection for a machine that is used in practice only on the
local, office LAN?  Or to access a single, corporate Web site?

Shall I do the experiment again where I set up a Linux box
at an RFC1918 address, behind a NAT device, publish the root
password of the Linux box and its RFC1918 address, and invite
all comers to prove me wrong by showing evidence that they've
successfully logged into the Linux box?  When I last did this,
I got a handful of emails, some quite snide, suggesting I was
some combination of ignorant, stupid, and reckless; the Linux
box for some reason remained unmolested.

Jim Shankland

Not so. NATing source addresses from multiple source hosts towards theInternet anonymises the source machines so they can not be 'looked at'individually.

Additionally, NATing services on separate machines behind a single NATedaddress anonymises the services behind a single address.

Also, it is good to control the Internet addressable devices on yournetwork by putting them behind a NAT device. That way you have lessdevices to concern yourself about that are directly addressable whenthey most likely need not be. You can argue that you can do the samewith a firewall and a default deny policy but it's a hell of a loteasier to sneak packets past a firewall when you have a directlyaddressable target behind it than when it's all anonymous because it'sNATed and the real boxes are on RFC1918.

So really, those who do not think there is a security gain from NATingdon't see the big picture.


--
Leigh Porter

Current thread:

Re: Security gain from NAT (was: Re: Cool IPv6 Stuff), (continued)
- - - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Perry Lorier (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) James Hess (Jun 05)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) michael.dillon (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nathan Ward (Jun 05)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Sam Stickland (Jun 06)
    - Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Kradorex Xeron (Jun 05)
    - Re: Security gain from NAT Leigh Porter (Jun 04)
    - Re: Security gain from NAT Donald Stahl (Jun 04)
    - Re: Security gain from NAT Dorn Hetzel (Jun 04)
    - Re: Security gain from NAT Mattias Ahnberg (Jun 05)
    - Re: Security gain from NAT Adrian Chadd (Jun 05)
    - Re: Security gain from NAT James R. Cutler (Jun 05)
    - Re: Security gain from NAT Matthew Palmer (Jun 04)
    - Re: Security gain from NAT Sam Stickland (Jun 04)
    - Re: Security gain from NAT Matthew Palmer (Jun 04)
    - Re: Security gain from NAT Matthew Kaufman (Jun 04)
    - RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Tony Hain (Jun 04)

(Thread continues...)