← Back to context

Comment by tptacek

13 hours ago

The distinction you're trying to draw here, between exclusively using NAT to provide security, versus it being one component of a stack of network controls that could just as easily be replaced with others, isn't meaningful.

The point is that NAT was introduced as a kind of firewall. The PIX firewall was named by Network Translation, Inc., which was acquired as a security device --- and, indeed, the PIX was for many years the flagship security brand at Cisco.

I don't dispute that NAT is dispensable (though: dispensing with it in millions of residential prem deployments is another story altogether!), only that it's "not a security tool" --- it clearly is one, and a meaningful one (whether network snoots like it or not) in a huge number of networks.

19 comments

tptacek

Reply
zamadatix  13 hours ago

> The distinction you're trying to draw here, between exclusively using NAT to provide security, versus it being one component of a stack of network controls that could just as easily be replaced with others, isn't meaningful.

That's not the distinction I, or TFA, set out to make.

It's not that NAT is a component of controls that could be replaced by others, it's that whether NAT was put in place for security or if it was always assumed you need an actual stateful firewall precisely because NAT was never intended or believed to provide meaningful security, even in the days of classful networking.

Not one of the references above makes claim that NAT was intended to provide security on its own. That the PIX launched with actual firewalling capabilities does not bolster that NAT=security, it actually bolsters that NAT was never believed or intended to provide security even further.

To turn this back around at you: The distinction you're drawing that NAT could have provided "something better than nothing" in terms of security if appliances like the PIX hadn't always shipped firewalling from day 1 isn't meaningful.

  • tptacek  13 hours ago

    The whole point of NAT firewalls is that the devices behind it don't have routable addresses. "Statefulness" improves the situation, but the translation itself provides a material control.

    • zamadatix  13 hours ago

      I suppose we fundamentally disagree that it's meaningful or material whether NAT can provide something the stateful firewalling has handled more completely since the first shipping implementation and that this defines what the purpose and introduction of NAT to the market was supposed to be.

      15 replies →

    • bandrami  6 hours ago

      Which, again, only helps you against attackers who are on the other side of a router you trust. Do you trust your ISP?