General discussion

Locked

NAT in IPv4, real security or just obscurity...

By Dumphrey ·
I cam across this article,
http://www.circleid.com/posts/nat_just_say_no/
And was immediately struck by a few issues.

1) A correctly configured firewall would indeed work instead of nat, but, many consumer grade firewalls are really just nat boxes, not routers. Most now have some rudimentry packet filtering, but how many "average" users will configure them properly?
2) It seems to me (being paranoid again) that IPv6 allows to much tracking and identity to an individual machine to ensure privacy to the user. I know IPv6 includes a mechanism to change the specific identifier over time, but how often, and how difficult will this be to implement? Will it be enabled by default on all non static assigned addresses?

Do you all think NAT's only security is through obscurity? Or is the default lack in incomming initated connection more of a basic packet-filter like function?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Nat, for security?

by jdclyde In reply to NAT in IPv4, real securit ...

I use NAT for connectivity.

You can have that single address at the firewall, and easily break it down by the port on which server it goes to.

It does add SOME security, in that only the forwarded port is exposed, so all other port exploits are null and void. Exposed ports are usually one of the biggest entry points on a server.

I don't see this as obscurity, but that is just me.

As for consumer grade, do you mean home/SOHO? They are sold as plain jane boxes, with limited options. Meant more for giving you connectivity than security.

People that expect security out of a $50 box deserve what happens to them, especially if the poke ANY holes in the firewall for NAT. They are only good as a "deny all" except connections initiated from the inside.


My humble take on the topic.

B-)

Collapse -

I do mean home/SOHO boxes

by Dumphrey In reply to Nat, for security?

but if we remove nat, those devices will need to be that much more secure to prevent intrusion where nat was helping before. And how good will an "point and click" interface for a firewall be? Good enough? All speculation really.

Also from a consumer end, NAT allows you to put as many devices on one IP as you care to. No NAT would open us up to bigger charges from the ISP for the same level of service we receive now since most charge by the IP provided (home customers).

[edit]

Now that I think about it, a single IP is all they would need to provide you. As the rest would be "built in" to the device/net card/computer connecting. That single ip would still be a gateway and would have to be configured to allow any incoming connections. So all IPv6 would really do is simplify tracking of a stream back to the exact machine behind your gateway.

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums