Is it a security improvement to use NATed network?

Question

There is a website that blocked an ISP's subnet (because attacks came from that network).

The ISP gives it's users only NAT'ed IP addresses, so the clients are geting 10.x.x.x IP addresses on their routers.

I asked the ISP to stop doing that (giving NATed IP's to the clients), or use IPv6 or phone the person that did the attacks to reinstall it's desktop, since it's probably virus infected.

The ISP replied: It's a security precaution to use NAT.

Can somebody explain how does NAT make a network more secure? AFAIK NAT wasn't designed for security.

I would argue that NAT doesn't make a network more secure... but it does make certain things (like disrupting traffic from malicious programs) easier and less-resource intensive. — HopelessN00b, Oct 21 '14 at 13:24

MadHatter · Answer 1 · 2014-10-22T06:48:18.337

To my mind, though it's not false, it's not true, and anyone who claims it is without understanding why should be examined closely for signs of snake oil.

Way back in the early days, firewalls (when they existed) were simple packet-inspection devices. They'd make a decision about whether to forward or drop a packet based solely on characteristics of the packet itself. You might say "that packet comes from TCP port 80, it has the SYN and ACK flags set, so it is (most likely) a web server's response to an initial TCP connection attempt, so let it in.

A significant improvement in firewall security was the stateful firewall. This had a memory of traffic flows through it prior the to consideration of any given packet that was used to inform the decision about that packet.

With a stateful firewall, you could instead say "that packet comes from TCP port 80, and the source address and port match the destination address and port of a TCP SYN packet that went through me about 75ms ago, so it is a web server's response to an initial TCP connection attempt that started inside my trusted network, so let it in. Or you could look at an ICMP echo-reply, and permit it only if it corresponded to a recent echo-request to a particular external server. And so on.

The thing about NATting firewalls is they are implicitly stateful. Because all traffic from inside to out must be rebadged with a new source address before the internet has any chance of replying to it, traffic can only flow from outside to inside if the firewall has a record of which particular internal machine recently sent out some traffic to generate the reply. If the firewall has no such record, it cannot rewrite the destination IP address of the inbound packet, because it won't have the faintest idea which internal address to rewrite it to.

So my feeling is that stateful firewalls are more secure than stateless firewalls, and all NATting firewalls are implicitly stateful. Of course, every other firewall I've seen in the last decade is statefully-capable as well, so as long as a non-NATting firewall wasn't very badly configured, it, too, offered similar security. I have never seen any analysis that suggested to me that NAT had any security advantages other than implicit statefulness.

Yes completely true, however one is a list of rules to be managed and the other is a tickbox. People are lazy and make mistakes. What is technically happenening is irrelevant, people are the weak link. — JamesRyan, Oct 22 '14 at 08:10
I completely agree with the distinction, though if you have a lazy and incompetent person managing your firewall, you will have problems regardless of tickboxes. The same is probably true of such people managing your accounts system, sales process, and/or foul-water plumbing. To correctly use any technology, understanding and care are necessary. Any organisation that thinks a tickbox appliance will enable them to save money by ignoring this is sadly mistaken. — MadHatter, Oct 22 '14 at 09:01

score 2 · Answer 2 · answered Oct 21 '14 at 09:58

NAT is more secure because unless ports are specifically forwarded there simply is no route to the hosts behind it. A firewall that blocks by default can provide the same level so an argument against NAT is that it provides no extra security, however this assumes that a well managed firewall is there in the first place.

Pragmatically, dumping people with trojans behind NAT is probably somewhat effective and requires considerably less resources than trying to filter all of their traffic. Many things are good for uses other than their original intent. The internet is not ready for IPv6 so neither that nor calling people is really a viable solution. Also since IPv4 addresses are running out, address sharing through NAT is probably something that they are looking for excuses to use. (there is no incentive for them to invest in IPv6 when there is a cheaper alternative)

The Internet has been ready for IPv6 - and running it - for years. It's end sites that are often not ready. — Michael Hampton, Oct 21 '14 at 12:36
@MichaelHampton A very small minority of the people and companies that use the internet (both user and server) are ready to use IPv6. Your pedantry does not change the fundamental facts. — JamesRyan, Oct 21 '14 at 18:37

Is it a security improvement to use NATed network?

2 Answers2