[97246] in North American Network Operators' Group
Re: Security gain from NAT
daemon@ATHENA.MIT.EDU (Jason Lewis)
Mon Jun 4 21:28:45 2007
Date: Mon, 04 Jun 2007 21:07:38 -0400
From: Jason Lewis <jlewis@packetnexus.com>
To: NANOG list <nanog@nanog.org>
Cc: colm@stdlib.net
In-Reply-To: <20070604191245.GA678@infiltrator.gizzard.com>
Errors-To: owner-nanog@merit.edu
I figured SMB would chime in...but his research says it's not so anonymous.
http://illuminati.coralcdn.org/docs/bellovin.fnat.pdf
jas
Colm MacCarthaigh wrote:
> On Mon, Jun 04, 2007 at 11:47:15AM -0700, Owen DeLong wrote:
>
>>> *No* security gain? No protection against port scans from Bucharest?
>>> No protection for a machine that is used in practice only on the
>>> local, office LAN? Or to access a single, corporate Web site?
>>>
>>>
>> Correct. There's nothing you get from NAT in that respect that you do
>> not get from good stateful inspection firewalls. NONE whatsoever.
>>
>
> Argueably the instant hit of IP source anononymity you get with NAT is a
> security benefit (from the point of view of the user). Of course these
> days there all sorts of fragment and timing analyses that will allow you
> to determine origin commonality behind NAT, but it's nowhere near as
> convenient as a public IP address.
>
> A non-NAT stateful firewall can't simulate that, you need high-rotation
> dhcp or similar to get close. Although IPv6 privacy addresses rock :-)
>
> The argument can go either way, you can spin it as a benefit for the
> network operator ("wow, user activity and problems are now more readily
> identifiable and trackable") or you can see it as an organisational
> privacy issue ("crap, now macrumors can tell that the CEO follows them
> obsessively").
>
> NAT is still evil though, the problems it causes operationally are
> just plain not worth it.
>
>
