8

Following some of the comments on this question, I was curious about the security vulnerabilities of NAT. There are similar threads here and here but they discuss router vulnerabilities rather than NAT vulnerabilities directly.

So imagine I have a router directly connected to the internet, the router has no configuration not explicitly required for the operation of NAT. The router also has no direct vulnerabilities in the ports it might expose (i.e. it has a well engineered HTTP interface with a strong password policy / lockout). There is also no port forwarding enabled on the router. Obviously it also has no Wireless networking attached etc.

The only attacks that are possible are directly across the internet, and no traffic from behind the NAT device will visit a site controlled by you.

In this configuration is there any way for an attacker to connect to a machine on the other side of the router.

I realise that this is a highly theoretical question that security is never about attacking a single thing. Attacks are always about finding the weakest link in a system. However, without those theoretical questions we'd know the vulnerabilities we need to protect against.

(If I'm entirely honest though, this question is as much about saying 'prove it' to those who say that NAT provides no security at all)

As an extension to the above question, which of the rules above would need to be removed or adjusted to create a realistic attack vector.

Community
  • 1
Michael B
  • 436
  • 4
  • 13
  • See http://security.stackexchange.com/questions/8772/how-important-is-nat-as-a-security-layer for an interesting discussion on this subject. – mti2935 Nov 01 '15 at 19:11
  • I did find that answer while researching this (I think it was that one that provoked the 'prove it' response) There are lots of answers (here and elsewhere) that say 'Nat doesn't provide any security...' and then have a proviso, It's like saying a firewall doesn't provide any security if you open all the ports. – Michael B Nov 01 '15 at 21:38

1 Answers1

2

Since NAT allows only replies to outbound connection no direct attacks from outside to inside are possible. But simple denial of service attacks are still possible. And while (D)DOS does not affect the inside network directly it can lead to a denial of critical services which need the access to the outside, like phone (VoIP) or smart home services.

...and no traffic from behind the NAT device will visit a site controlled by you.

At least if you use a browser behind such a firewall this assumption is probably wrong because you could simple include a link to a local IP address in an external website or make an external hostname resolve to an internal IP address. This is actually used in practice by Spotify and others for non-attack purposes, but can of course be also used for attacks to circumvent same original policy or to compromise the router from inside.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I know this answer is old, but it makes a harsh generalization that NAT systems also perform stateful inbound firewalling. See https://security.stackexchange.com/a/8773/90657 – multithr3at3d Feb 19 '18 at 19:38
  • @multithr3at3d: NAT **as used in typical setups** (i.e. multiple private IP inside, one or few public outside) must keep states of all outgoing traffic to match incoming traffic and rewrite it to use the internal IP addresses. Insofar they are implicitly a stateful firewall which only allows incoming packets for established outgoing connections. Sure you could do explicit port forwarding or create some exposed host which gets all unmatched outside traffic but these are things you have to explicitly do and where you knowingly expose these systems to the outside, bypassing the implicit filtering – Steffen Ullrich Feb 20 '18 at 05:31