1

I had an argument with someone on IRC about Network Address Translation. I was under the impression that NAT provided a layer of security to internal networks. I understand that's not the primary purpose of NAT, nevertheless, I can't really see how I could be wrong about that. Anyway, I got laughed at and mocked over it but never really got a straight answer as to how or why I was wrong. So does NAT really provide security? Or not?

voices
  • 1,649
  • 7
  • 22
  • 36
  • @WhiteWinterWolf It's not quite the same, please just let it ride. – voices Sep 17 '15 at 11:23
  • Could you update your question in order to highlight why the answers from the linked post does not answer your own question too? The point there was that while NAT firewalls indeed provide more security, it is solely thanks to their firewall role, NAT alone not providing any security. Reading again your question, this still seems to quite answer it in its current shape. – WhiteWinterWolf Sep 17 '15 at 11:36
  • @tjt263: I agree, it's hard to get straight answers to this one. But what about Tom Leek's answer to the question that Wolf linked? (I think that answer's reasonably straight.) – StackzOfZtuff Sep 17 '15 at 11:37

3 Answers3

6

NAT is often misunderstood because in todays "office routers" there is as good as in every case a combination of NAT/PAT and a firewall which isn't the same. Also when you say NAT most people really mean NAT/PAT which is a combination of Network Address Translation and Port Address Translation.

This means that the router which is providing NAT/PAT functionality is able to map a specific port on the external network to a specific host on a specific port in the internal network. This can provide some extra security by lowering the attack surface of the servers that otherwise could be scanned and attacked directly. Of cause the forewarded services can be attacked anyway...

davidb
  • 4,285
  • 3
  • 19
  • 31
  • In office routers NAT is generally not used but only PAT as there is only one external address to map requests, though this distinction is often lost even in papers, so let's as well. And NAT is not intended to be used to host services behind. Though possible with NAT override rules (I've seen them called "Virtual Hosts" in "office routers"). Normally services are hosted on machines (servers) which are not behind a NAT, to protect those machines a static/dynamic firewall is used. "Office routers" however want to make it easy for the user and offer a solution that combine both firewall and NAT. – Selenog Sep 17 '15 at 11:33
2

NAT does not provide security, it merely allows many private IPv4 address to use one public IPv4 address. It is not a security mechanism. It may provide some obfuscation of internal addresses and assets. But I still would not define it as security layer.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • That really sidesteps the point. The question isn't about how you would define or why it exists in the first place. As I mentioned, I know that security isn't the intended purpose of Network Address Translation. I understand the reason for it. However, it prevent hosts in private networks from being directly addressable via the public internet, does it not? – voices Sep 17 '15 at 11:38
2

You must think this because NAT is used by a device, which can be a firewall, router or computer that sits between an internal network and the rest of the world. The one main reason to use NAT is the shortage of IP addresses, but I can't recall that security is another reason for using NAT.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Menuka Ishan
  • 121
  • 4
  • 1
    Welcome to Information Security Stack Exchange! I think this answer is a bit incomplete; you could improve it if you have an example of how NAT helps or hinders the security of a system (like @TheJulyPlot's point about obfuscation of internal adresses). – S.L. Barth Sep 17 '15 at 11:19
  • @Menuka Ishan No, I think that because NAT, (or more accurately, RFC1918) prevents private hosts from being directly addressable via the public internet. – voices Sep 17 '15 at 11:19
  • 1
    @tjt263, no it doesn't. That's a firewall you're thinking of. NAT is often bundled with a firewall, but that doesn't make it the same thing. A perfectly valid (though silly) NAT strategy would be to broadcast to all internal addresses anything received externally. – Chris Murray Sep 17 '15 at 11:26