NAT provides Security?
One of the statements I stumbled upon for more than 5 years now is that NAT provides Security and I do not understand or concur how!
First, NAT was never considered for security in concept, actually there were even holes in NAT if we look at earlier stages of NAT. I found another question in Experts-Exchange today [After a long time I’m dedicating some more time on EE, since I’m more or less becoming a moron doing people management]. So the question was ‘Should I configure nat in my firewall for additional security’. Surprisingly there were more than 5 answers stating different ways it provides security. Guys, I don’t understand and if it is because I don’t know, you’re more than welcome to provide some insight and I’ll be glad you did and learn this.
Say 10.1.1.1 gets natted to 100.1.1.1 onto internet, how does it provide security?
Any attacks targetted to 100.1.1.1 will directly affect 10.1.1.1, unless there is some ‘firewalling’ mechanism involved to stop it.
Or if 10.1.1.1 goes out to internet using 100.1.1.1 and deliberately/unknowingly decides to download a worm, it still gets the machine infected, unless there is some ‘firewalling’ mechanism involved to stop it.
Moreover there are different types of scripts that can locally check what is your local ip configured on your machine (even though it doesn’t provide anything extra that the global/natted ip won’t provide).
So tell me how does NAT provide security. Now identity wise if you look at it, still it is not a great deal! I’m out of other ideas.
In case of dynamic NAT,it allows the connection that initiated from internal network only. So that an external network cannot connect/attack to your computer unless you have initiated the connection.
Do you agree now ?
Unfortunately my friend, that isn’t exactly designed to provide you security
If you want to understand that, you have to understand the NAT anatomy;
If I remember correctly, you can find an article on NAT anatomy at Cisco’s IP Journal. Take a look at Full Cone NAT or Restricted Cone NAT, both of them allows you to make the external connections possible even you do PAT.
Cheers,
Rajesh
Hi Rajesh,
I do know about Full cone NAT and Restricted cone NAT.
In both the case,an external host can send a packet to the internal host, by sending a packet to the “mapped external address”.
Please note the quoted one “mapped external address”.
In case of dynamic NAT(many to many), the mapping between internal and public address will happen only when the host from the internal network initiates a connection to the external network.If the internal host does not initiate a connection, then mapping will not happen and hence, any external host can not access/attack the internal network by external address used in that network.So, we get the security here:)
Gr8, boss in that case done have the internal machine switched on at all then no body would hack in! You enable NAT on any networking device to do NAT right?
Now Vignesh, think about this, what is the purpose of one configuring NAT and then be at rest thinking it will only be at stake if the internal host makes an internet connection and creates the ‘mapped external address’. Well, isn’t that the purpose you configured NAT for? Think about it
Cheers,
Rajesh
Or one simple question
You make me laugh.
What is the percentage probability of an internal machine creating a ‘mapped external address’ when someone configures NAT?
Well, it is 100%, that is the intention he created it for!
You made me to laugh now….
Okay…To answer your question,
In case of restricted NAT,port restricted NAT and in Symmetric NAT(I believe that you know how they work),even at 100% utilization of public addresses,an external host can not easily access the internal host using the mapped address.Also the utilization of public addresses may not be 100% during non-business hour.
Being said that, it does not mean that once I configured NAT, my internal network is safe. We have products like firewall,idp,ips etc,. for providing security.
I just brought up the scenario where NAT provides you the security.
Regards,
Vignesh.
Ok to one side of the cube you are in. Lets fix the other side as well.
How do you term an attacker? What qualifies for an attacker.
So now, lets take different outside machines out of the equation. So you have NAT configured, the machine goes out to internet to browse, through that same connection you bring a worm to your network, quite possible? (Well most of the phishing attacks and others work this way). So essentially you get infected by the same external host whom you chose to connect to, now does NAT help you resolve that issue?
So which scenario provides security by providing NAT, more examples welcome
Cheers,
Rajesh
My 2cents: with NAT – potential attacker does not know your actual identity, so cannot attack directly. Oft used analogy of postal dept delivering a letter to “Santa Claus, North Pole” to the “person-that-is-responsible-to-reply”. Nobody can find that person’s home, go there and attack.
That said, the attacker can always send a letter bomb to the address. It the post office does not do any checks on the package (lack of firewalling), god save Santa
.
Maybe there is statistics out there that says non-NAT-ted systems get attacked more – though I cannot imagine whether there will be any of that sort anymore.
Hey Boss, Long time no hear
I’m still going good, will write an email to you some time later… Lot of things to tell ya.
Coming back to NAT;
There are 2 types of attack that we’re discussing here.
1. Somebody writes a ‘blob’ to destroy something, here he doesn’t care who gets infected – Mostly this is brought in to the machine/network via browsing/emails. Whether you NAT or not doesn’t help you here.
2. Focussed attacks – Say I want to attack rsivanandan.com, now do I really care what is the internal ip address of rsivanandan.com, NO! All I’m worried about is what are the ports this site entertains, right? Again here, whether NAT is there or not doesn’t help or does it?
Now regarding the identity part – Even if you’re natted, a simple javascript in a site can find out what your internal ip is, that is in case if he wants to find out. Try out http://www.auditmypc.com for a live demo.
Cheers,
Rajesh