On Monday 27 December 2010 18:14:25 Tom H wrote:
On Mon, Dec 27, 2010 at 12:41 PM, Joe Zeff <joe(a)zeff.us>
wrote:
> On 12/27/2010 09:15 AM, Patrick O'Callaghan wrote:
>> Actually IIRC you have that the wrong way round. NAT was invented to
>> deal with address space exhaustion, and had the side-effect of hiding
>> machines behind the router.
>
> Before somebody steps in again to point out that NAT isn't a firewall,
> I'd like to give my perspective on it. If your router uses NAT and only
> forwards those ports you've told it to (and then, each port only goes to
> one machine) port scanners can't find your machines because nothing
> responds to their attempts to connect.
Oh, but the scanner *will* get a response, that's the whole point of port-
forwarding. A scanner sends out a bait, NAT forwards it to appropriate server,
the server responds, NAT forwards the response back to the scanner.
This way the scanner can find out about all your open ports on all servers
behind your NAT, by scanning only one machine (the one facing the internet).
This is actually an added benefit for the scanner, courtesy of NAT. :-)
> And, of course, even if you have
> malware trying to act as some sort of server it won't do any good unless
> your machine initiates the connection.
If malware has infected one of your machines, it typically *will* initiate the
connection (calling-home), and the NAT will do nothing to prevent
communication in that case.
> No, this isn't a firewall, but
> it's better than having your box sitting on the net completely exposed.
If you have a firewall (and you need one both with and without NAT), the
machine is never completely exposed. NAT doesn't add any security beyond the
firewall.
> Consider NAT as one layer of protection in a properly designed
and
> implemented defense in depth.
As I heard somewhere, NAT is usually compared to Japanese paperwall, defense-
wise. IOW, zero protection.
NAT doesn't have anything to do with security.
In your example above, what's the difference between scanning your NAT
box for open ports and having them forwarded by the NAT box to a box
on your internal network or scanning a publicly accessible box on your
internal network directly?
The firewall's the only defense in both cases.
Well, there is a slight difference, which makes NAT even *less* secure than the
non-NAT solution. :-)
Namely, in the case of having several servers with public IP's behind a
firewall (ie. no NAT), the attacker needs to know the IP of each particular
machine he wants to attack.
However, in the case of having several servers with local IP's behind a NAT
and a firewall (with appropriate port-forwarding to each server), the attacker
needs to know *only* your single public IP, and he can successfully attack all
of the servers behind a NAT through that one.
So, the attacker has a (slightly) easier job if you do have NAT than if you
don't. Other than that, there is absolutely no difference, and the firewall is
the only true line of defense, as you remarked.
Best, :-)
Marko