Comment by tsimionescu
1 month ago
> No. It isn't. And if you enable NAT without firewall rules, it will happily expose your internal network to external actors. In fact, that's the whole point of NAT.
How exactly would a regular NAT implementation, such as s consumer router's NAT, remove security compared to a direct connection? Assuming there is no port forwarding configured, the NAT will drop (or NACK) any packets addressed to the router's IP on any port that doesn't correspond to a currently open connection.
Since the machines behind the NAT have RFC1918 addresses, remote actors will not be able to send a packet to them, other than by sending packets to the router's IP.
So, overall, a NAT box with no firewall rules configured still acts like a stateful firewall for remote attackers. It's true that attackers that have access to the WAN port of the router, such as someone infecting your ISP, can still send traffic directly to the RFC1918 addresses behind the router, and the router would deliver them (whereas with a firewall, those would also get dropped). So a firewall is still preferable, but the difference in security is actually quite low.
> In fact, not using IPv4 NAT is enormously more secure than using IPv4 NAT, assuming you're using RFC1918 addresses internally. Primarily because non-NATted RFC1918 addresses won't be forwarded by routers on the Internet (CGNAT notwithstanding).
This statement makes no sense. If you are not using NAT of some kind, and your machines only have RFC1918 addresses, then your machines can't access the Internet at all. Now, sure, that is quite secure - but you can get the exact same security by disconnecting the WAN port of the router, with the exact same effects - so this is quite irrelevant to the use-cases being discussed.
>How exactly would a regular NAT implementation, such as s consumer router's NAT, remove security compared to a direct connection? Assuming there is no port forwarding configured, the NAT will drop (or NACK) any packets addressed to the router's IP on any port that doesn't correspond to a currently open connection.
No one (at least not me) said anything about a "direct connection" (which I assume means using globally routable IPv4 addresses on your internal systems).
Nor did anyone say anything about not forwarding any ports. In fact, much of the discussion has been about how "secure" NAT is when forwarding ports, with some folks claiming that doing so is all you need. Or did you miss those 80-100 comments?
>This statement makes no sense. If you are not using NAT of some kind, and your machines only have RFC1918 addresses, then your machines can't access the Internet at all.
Exactly. That was my point. And if you add NAT without stateful firewall rules to limit access, your internal systems are exposed.
I tell you what: post the IP address/range of your home network, turn off the firewall you're using and just leave NAT enabled as it is right now and we can see for ourselves just how "secure" bare NAT is. What do you say?
Unsecured NAT (i.e., without, at a minimum, firewall rules limiting connectivity -- a default deny rule at least) is not secure at all.
I've said (now twice) what I had to say. Feel free to disagree (again) and/or downmod my post, but my decades of experience professionally implementing networks, the security infrastructure which attempts to secure them, at the perimeter as well as at the LAN, server and endpoint informs my opinion.
Don't agree? That's fine with me. It's no skin off my nose. I have no axe to grind with you or anyone else around this or anything else.
Have a good day.
Edit: Clarified the "Globally routable" addresses as IPv4.
I've explained before, in many threads, that pure consumer NAT, without a firewall, has exactly the same behavior as a consumer stateful firewall, except for two cases :
1. The ISP is malicious/compromised, and sends packets with RFC1918 addresses on the router's WAN port.
2. The router itself has admin services that are listening on public IPs (eg HTTP server listening on 0.0.0.0 instead of 192.168.0.1), so it itself could be compromised from outside the ISP network.
Except for these two points, there is no difference between the security characteristics of a consumer NAT and a consumer firewall:
1. LAN machines can't be reached over the internet other than through the NAT, since a packet addressed to 192.168.0.7 from Google will not be routed by any ISP.
2. When a packet arrives to the NAT with a destination IP set to the NAT public IP, the packet will not be delivered to any box on the LAN unless (a) its ports match an active connection from a LAN box, or (b) its destination port matches an explicit port forward rule an admin added.
Case (a) above is exactly what a stateful firewall with a default deny rule does. Case (b) is also exactly the same, as if you explicitly open a port in this type of consumer firewall, it will allow any packet matching that port.
Now, I wouldn't disable my firewall, because I don't trust that my consumer router is itself well enough secured, and I don't necessarily trust my ISP's network either. But this doesn't mean that my laptop is exactly as secure if it were to sit behind this router with no firewall as it would be if I disabled both firewall and NAT entirely and gave my laptop a publicly routable IPv4.