[LINK] www.ipv6.org.au/summit

Karl Auer kauer at biplane.com.au
Sun Aug 31 12:26:42 AEST 2008 

On Sun, 2008-08-31 at 10:35 +1000, Jon Seymour wrote:

> NAT undeniably enhances security for machines that don't have another
> layer of security, simply because it significantly reduces the chance
> of externally initiated connections reaching ports that are
> vulnerable. Admittedly, it is an unintended consequence of a mechanism
> designed for another purpose, but to suggest that NAT doesn't provide
> a net security-related benefit is, I think, stretching the point a
> little.

Not at all. That "unintended consequence" can be had without NAT.

BTW, I hereby deny that NAT enhances security for machines that don't
have another layer of security. Whoops, there goes "undeniable"!
Rhetoric, a double-edged sword.

The "enhancement" you claim has nothing to do with NAT. It is no more
than a simple packet filter can do, the kind of packet filter that is in
every modern router, even many commodity ADSL/cable routers.

Most threats to the security of a home computer (or a business computer
for that matter) come in on open channels: Email payloads carrying
viruses or trojans, user responses to phishing attacks, unwary use of
portable storage media, unwary use of file transfer in chat-type
programs, unwary use of downloaded files and (waaay down the list)
attacks on vulnerable services via ports that have been deliberately
opened and port-forwarded.

NAT has no role in preventing any of these attacks. Good mail scanning,
good virus scanning and a good firewall would help. But NAT is
irrelevant.

NAT can help with attacks on well-known ports and port-scanning by
simply blocking them. If your computer isn't running anything on the
ports being attacked or scanned through, all you win is that your local
logs don't fill up (if you even bother logging such things). Of course,
if port forwarding is used, all "protection" NAT might have offered is
gone for that port and its destination.

NAT can also help protect internal services that are not port-forwarded
from the outside world - shares on home computers for example, or
services accidentally left open. Again, it simply blocks connection
attempts.

BUT, and this is the key point, it isn't NAT that provides this help.
It's that "unintended consequence". Both these advantages can be had,
just as easily and with far less performance loss, through simple packet
filtering. "Allow established back, block everything else". NAT is not
needed.

NAT offers exactly one advantage: It gives us more address space, though
at a pretty big cost. 

In short, people confuse NAT itself with one of its many side-effects.
NAT has, in and of itself, no security advantages at all.

Regards, K.

PS: None of this means that those NAT devices in every home are useless
from a security point of view. The "unintended consequence" that they
provide is valuable. But it isn't NAT that you need - it's the packet
filtering side effect, and you can have that *without* NAT. Of course,
you need NAT because you need the address space... oh, look! IPv6!

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: DD23 0DF3 2260 3060 7FEC 5CA8 1AF6 D9E3 CFEE 6B28
Public key at  : random.sks.keyserver.penguin.de

More information about the Link mailing list