Is NAT a security feature?

15 years after NAT was invented, I’m still getting questions along the lines of “is NAT a security feature?” Short answer: NO!

Longer answer: NAT has some side effects that resemble security mechanisms commonly used at the network edge. That does NOT make it a security feature, more so as there are so many variants of NAT.

Basic NAT

Basic NAT (as defined in RFC 2663) performs just the IP address translation (one inside host to one IP address in the NAT pool). The moment the inside host starts a session through the NAT, it becomes fully exposed to the outside world.

When using static basic NAT (statically defined inside-to-outside IP address mapping), the inside host is exposed all the time.

Summary: Basic NAT provides no security.

Stateless NAT

Some IPv6-to-IPv4 (or 4-to-6) NAT algorithms are stateless – IPv6 address is calculated from the IPv4 using an algorithm (or device configuration). From the security standpoint, stateless NAT is no different from static basic NAT (read: useless).

Network Address Port Translation (NAPT)

NAPT (also known as PAT) keeps a list of established sessions and uses that list to perform address and port translation of inbound and outbound packets. If an unknown packet arrives from the inside interface, a new entry is created, if an unknown packet arrives from the outside interface, it’s dropped.

There is no “standard” NAPT behavior. RFC 4787 describes various NAPT parameters; the ones most important to the security-related discussion are the Address and Port Mapping behaviors.

With the Endpoint independent mapping, the NAT translation table contains just the inside IP address and TCP/UDP port (default behavior on most low-end devices). As soon as the inside host opens a session through NAT, anyone can send TCP or UDP packets to the source port used by that host.

Cisco IOS usually implements Address and Port-Dependent Mapping – the NAT translation table contains full 5-tuple (source/destination address/port and the L4 protocol).

NAPT device using address and port-dependent mapping seems to behave like a stateful firewall, but does not inspect the contents of the TCP/UDP session and does not check the validity of TCP headers. Its behavior is almost identical to reflexive ACL feature.

Summary: NAPT does provide some packet filtering functionality. Static NAPT is identical to a simple packet filter (whatever is translated by the static NAPT rules is permitted).

Other considerations

While we definitely need firewalls and/or packet filters at the network edge, most of today’s attacks work on application-layer, using SQL injection or “Advanced Persistent Threats” like sending an Excel or PDF file with a 0-day exploit to a click-happy user. For more details, please listen to the Packet Pushers Podcast Show 56 and Show 61.

Finally, I will not discuss the absurdity of the security-by-obscurity argument (Let's secure the network by hiding internal addresses with NAT). Please don’t even mention it in the comments.

10 comments:

  1. sorry for Slovenian joke, but I had to :) :) :)

    http://www.ljudmila.org/ciril/nato-nehvala/eu.jpg

    cheers, Jan

    ReplyDelete
  2. Once in a while I read similar subjects claiming that NAT is not security feature. The most useful & widely use NAT is NAPT. And You also came to conclusion that NAPT is basic FW. (at least, that's what I understood :))
    For Enterprise networks, without a doubt FW is needed, but for home network with few computers, where budget & knowledge is limited, NAPT was quite useful FW.
    I recently established dual stack @home and realized that suddenly I need FW too.

    ReplyDelete
  3. NAT is a "security" feature in another way: for SMEs that don't have PI address space, it prevents your existing ISPs from holding you hostage at renewal time. Renumbering even a 500-device network is expensive, and using private space and NAT makes that cost orders of magnitude smaller. So in IPv4 land, NAT "secures" choice of transit providers for those without PI address space.

    I managed a few painful renumberings during the late 1990s, and ISPs (especially incumbent telcos) used to use that renumbering cost as a lever during negotations (which made you want to stop doing business with them even more!).

    ReplyDelete
  4. As a security architect I find it interesting that the same type of discussion does not occur with split DNS. Both NAT and Split DNS are ways of breaking / avoiding the need for a single consistent address space or namespace across interconnected networks. This is often what needs to be done at the border between different security domains. I see NAT and Split DNS as design components that are used within Security Gateway environments to mean the requirements for interconnectivity; that does not make them security controls by themselves.

    ReplyDelete
  5. "Finally, I will not discuss the absurdity of the security-by-obscurity argument (Let's secure the network by hiding internal addresses with NAT). Please don’t even mention it in the comments."

    I'm not very bright so please excuse me. Please please please explain why.

    ReplyDelete
  6. You are bright, or you wouldn't be asking questions about networking security ;)

    It's a fair question, blog post coming in early January.

    ReplyDelete
  7. NAT has been invented to resolve lack of real IP addresses, this feature of address translation is used now as a security option.
    Translation of: One to one, pool to one, pool to pool is used for both real or private addresses.

    ReplyDelete
  8. Listen man its simple. We won't adopt IPv6 until we have the same control and hiding of topology of NAT IPv4. No amount of fussy IETF talk will make that change. Give us NAT or get to work on IPv7. Don't like it? well thats too bad... Reality is what it is. Like prostitution and Cannabis, somethings just will never go away no matter how much grumbling the powers that be do. NAT we want it. I don't want my friggin printer, phone, router, switch and 3 terminals to have public addresses. I dont want people to see if I have 3 or 3000 computers. I want to control each machine, each port and switch ISPs ten times a day with no firewall editing.

    ReplyDelete
    Replies
    1. have you heard of ULAs and temporary addressing in IPv6? Your LAN devices don't have to be globally routable or reachable.

      Delete
  9. Olduser hit it on the nose here about the need for NAT.

    Define security and tell me why NAPT is not a security feature? NAT makes you vulnerable to everything? Who taught you that? You know how many computers are saved from the blaster worm because they are behind a cheap router?

    The post should read. "NAT adds to your security by.. points 1,2,3. NAT is not a complete security solution because of points 1,2,3."

    Sounds like a consultant wrote this article.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.