NAT actually makes security harder to reason about.
For example, did you know that NAT doesn't prevent inbound connections? At least in v6 people are more likely to realize that, yes, they do need a firewall.
As far as security goes, firewalls don't require it. Not only that, but I share the admittedly minority opinion that firewalls are a crutch for bad system security and that we should be working to fix that problem. A system that requires a firewall to be secure is broken.
NAT does little to nothing for security. NAT != firewall, and if your security depends on keeping internal IPs secret you have a problem. You can easily firewall without NAT.
When using NAT, you're revealing the IP address of your router. I don't know about you, but I don't have so many devices running on my home network that would drown out what I'm doing.
With NAT, you can still receive DoS attacks, still have your game networking exploited, and still be geolocated. The only remotely security-related benefit is that instead of your ports being exposed to the wild internet, they're exposed to your router which is more of a side-effect rather than an actual benefit. Its not a reason to not bother having a firewall.
You're really splitting hairs here. A NAT prevents direct access from the outside to the LAN, except is certain situations. That's part of a firewall's functionality. It's actually probably the first rule you'd set up on most firewalls, then you'd open select ports as necessary (which you do with port forwarding on NATs). A firewall can do a whole lot more of course, but there is some overlap.
Anyway, I think we're in agreement on the core of the issue, it's just a matter of definition. Praising NATs for security is like praising a snowstorm because it makes it harder to steal my car. I guess some people really like to see the glass half-full.
NAT is a more desirable form of security than a firewall for most users, despite it not being intended for that purpose. It should be the default, and if you don't want NAT, go ahead and don't use it.
Only Siths deal in absolutes. NAT has the side effect of behaving like a crappy firewall, so it gives you the added security of a crappy firewall. It's not much but it's something.
But in the end I agree that it's a bit silly to use that as an argument in favor of NAT, if you want a firewall then use a firewall. I guess the advantage of NAT is that while you could forget to setup a firewall and not notice, you'll definitely notice it pretty quickly if you have a few computers on your LAN and you don't have a NAT...
I talk to a lot of people who think lack of NAT "exposes everything" and is a big security problem. I try to explain that firewall is not NAT and NAT is not firewall but people do not seem to be willing to hear or understand this. "NAT equals firewall equals security" is tattooed on the inner eyelids of an entire generation of developers and IT people. It borders on religion.
On a deeper level this is because almost nobody actually understands how networks work. In my experience even really top developers often have absolutely no idea what happens on the wire. As a result they basically cargo cult netsec. Since they don't understand it, anything that deviates from "standard practice" gives them security FUD willies because they don't see the implications.
> IPv6 firewall that gives at least if not more security than NAT provides
That's just not true. NAT and firewall both achieve what little security they provide through simple blocking of packets based on state information. Firewalls generally provide more robust state information, but NAT is what lets you redirect sockets. They work together.
> NAT has the side effect of behaving like a crappy firewall, so it gives you the added security of a crappy firewall.
No, it doesn't. Unless by "crappy firewall" you mean "a firewall that doesn't firewall".
> I guess the advantage of NAT is that while you could forget to setup a firewall and not notice, you'll definitely notice it pretty quickly if you have a few computers on your LAN and you don't have a NAT...
... and you could then set up a NAT and still forget the firewall. Especially so if you mistakenly believe that NAT provides firewall functionality. There is absolutely nothing that prevents your ISP, and by extension anyone who happens to compromise your ISP('s router) from connecting to your RFC1918 addresses through your NAT gateway if you don't also have a firewall.
This is my concern too. NAT is nice because it's stupid and secure by default. No matter how you misconfigure it, the router simply doesn't know where to forward inbound packets to, unlike a firewall which has to actively block. My assumption for routers is that they won't handle firewalls right, especially the many cheapo ones.
There's this and a hundred other ways to get past a firewall, and NAT is an ugly hack to extend the life of IPv4 not a security feature.
Firewalls are a false god. If something can't be connected to the open network and remain reasonably secure, it is not secure.
Firewalls are a necessary evil because there's a lot of insecure junk, sure, but relying on them encourages more insecure junk to be made and encourages lazy security practices in general.
I'll admit to not understanding this position. Without NAT, you could do the same sort of firewalling, where the inbound allow list is driven dynamically. The only thing I can think of is that not using NAT exposes more detail about an internal network. Is that the reason you're hinting at, or is the reason something else?
NAT is not a layer of security. At all. A billion layers of no security is still no security.
(And actually, NAT is a negative contribution to security as it hides the lack of a firewall when it isn't there or doesn't work, which would be trivial to detect without NAT.)
> NAT does nothing meaningful securitywise that a firewall cannot achive
One good thing about NAT is even if you screw up the firewall config, such as configure everything in "allow all" mode, your internal network is still secure, because private IPs are not routable at the Internet level.
For example, did you know that NAT doesn't prevent inbound connections? At least in v6 people are more likely to realize that, yes, they do need a firewall.
reply