Unless you’ve gone out of your way to disable the H.263 NAT ALG, NAT actually allows websites and other services to open either random ports on your machine (if using business firewalls) or ports on any device on your network (many consumer routers).
If your router allows you to disable SIP ALG and H.263 ALG, you should. If it doesn’t, well, maybe they’ve been patched? If you’ve applied a kernel firmware update to your router the last 1-2 years you may be safe (though not many vendors will bother updating the kernel when updating their routers). You’ll lose access to SIP phones and some video calling services over IPv4, but at least some Javascript on a random blog won’t be able to hack your printer.
This wouldn’t work with IPv6, as these two protocols just work with IPv6 (and IPv4, as it was designed). ALGs are hacks around protocols, rewriting packets to make all of the problems NAT causes go away.
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
Honestly, these days I have no idea. When I said “wouldn’t recommend” that wasn’t an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.
I’ve had experience with most of the big vendors and they’ve all had quirks etc. that you just have to deal with. Fundamentally it’ll come down to a combination of price, support requirements, and internal competence with the kit. (Don’t undermine the last item; it’s far better if you can fix problems yourself.)
Personally I’d actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That’s not to say dedicated machines for the task aren’t valuable but I’d say it’s the exception rather than rule that you need ASICs and the like.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits.
Regardless, everything you said is sounds true to me.
Not really, though. It was never designed as a security boundary. You can “open” a UDP port by sending UDP packets to another host, and then that host can send UDP packets to you, for instance. Usually the IP addresses of the two hosts are exchanged through a third party, and that’s how STUN/TURN works in essence. Without this, you’d need to port forward every UDP connection manually, both incoming and outgoing.
NAT only protects you when you have hosts that only communicate along preset routes, but then a normal firewall will also work fine. It’s not like having a public IP means any traffic will actually go through, every modern consumer router has a standard deny all firewall. At best, it sort of hides what devices are sending the traffic.
Meanwhile, NAT has flaws breaking traffic (causing NAT slipstreaming risks, like I linked elsewhere). It also has companies like Nintendo instruct you to forward every single port to their device if you have connectivity issues. If that forward is not towards a MAC address, and your PC gets the IP your Nintendo Switch used to have, you’ve just disabled your firewall to play Animal Crossing.
If you want to, you can do NAT on IPv6. Every operating system supports it, even if it’s a stupid idea.
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
In the instance of UDP handshakes yes, you need local software to initiate the connection on one of your devices somewhere (I highly doubt that your home router verifies the origin of those packets, so a hacked printer or IoT crap can open ports to your desktop no problem). Other problems are harder to solve.
NAT is great at what it does, but it does not guarantee security. It blocks straightforward attacks, but brings in tons of edge cases and complexity that sophisticated attacks can abuse. At the same time, the same security can be achieved using IPv6 and a firewall without all the complexity.
It’s a neat workaround that means you don’t need to mess with subnetting and routing tables when you do stuff like run virtual machines and when your ISP doesn’t offer IPv6. It was designed so larger businesses with 10 machines could access the internet without spending a lot of money on a /30, not to replace firewalls, and it still works well for what it’s designed to do.
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.
Why do you say NAT doesn’t make a network more secure?
Unless you’ve gone out of your way to disable the H.263 NAT ALG, NAT actually allows websites and other services to open either random ports on your machine (if using business firewalls) or ports on any device on your network (many consumer routers).
If your router allows you to disable SIP ALG and H.263 ALG, you should. If it doesn’t, well, maybe they’ve been patched? If you’ve applied a kernel firmware update to your router the last 1-2 years you may be safe (though not many vendors will bother updating the kernel when updating their routers). You’ll lose access to SIP phones and some video calling services over IPv4, but at least some Javascript on a random blog won’t be able to hack your printer.
This wouldn’t work with IPv6, as these two protocols just work with IPv6 (and IPv4, as it was designed). ALGs are hacks around protocols, rewriting packets to make all of the problems NAT causes go away.
More info on this here: https://www.armis.com/research/nat-slipstreaming-v2-0/
Thank you
This article is biased to selling you more F5 equipment but is a reasonable summary:
https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security
Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn’t recommend F5) instead of the implicit but not very good protections of NAT.
What would you recommend? I have a client with some pretty old hardware (FVS 318) installed that I suspect is causing some issues on their network.
Honestly, these days I have no idea. When I said “wouldn’t recommend” that wasn’t an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.
I’ve had experience with most of the big vendors and they’ve all had quirks etc. that you just have to deal with. Fundamentally it’ll come down to a combination of price, support requirements, and internal competence with the kit. (Don’t undermine the last item; it’s far better if you can fix problems yourself.)
Personally I’d actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That’s not to say dedicated machines for the task aren’t valuable but I’d say it’s the exception rather than rule that you need ASICs and the like.
It wasn’t designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?
The answer is that it doesn’t. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn’t outweigh other benefits of end to end addressing.
The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.
This has a lot of security benefits. Regardless, everything you said is sounds true to me.
Not really, though. It was never designed as a security boundary. You can “open” a UDP port by sending UDP packets to another host, and then that host can send UDP packets to you, for instance. Usually the IP addresses of the two hosts are exchanged through a third party, and that’s how STUN/TURN works in essence. Without this, you’d need to port forward every UDP connection manually, both incoming and outgoing.
NAT only protects you when you have hosts that only communicate along preset routes, but then a normal firewall will also work fine. It’s not like having a public IP means any traffic will actually go through, every modern consumer router has a standard deny all firewall. At best, it sort of hides what devices are sending the traffic.
Meanwhile, NAT has flaws breaking traffic (causing NAT slipstreaming risks, like I linked elsewhere). It also has companies like Nintendo instruct you to forward every single port to their device if you have connectivity issues. If that forward is not towards a MAC address, and your PC gets the IP your Nintendo Switch used to have, you’ve just disabled your firewall to play Animal Crossing.
If you want to, you can do NAT on IPv6. Every operating system supports it, even if it’s a stupid idea.
I still have to initiate the outgoing UDP. Are you talking about the specific case where any software running on my host can initiate it without me requesting?
Edit: apparently NAT is full of security bugs
In the instance of UDP handshakes yes, you need local software to initiate the connection on one of your devices somewhere (I highly doubt that your home router verifies the origin of those packets, so a hacked printer or IoT crap can open ports to your desktop no problem). Other problems are harder to solve.
NAT is great at what it does, but it does not guarantee security. It blocks straightforward attacks, but brings in tons of edge cases and complexity that sophisticated attacks can abuse. At the same time, the same security can be achieved using IPv6 and a firewall without all the complexity.
It’s a neat workaround that means you don’t need to mess with subnetting and routing tables when you do stuff like run virtual machines and when your ISP doesn’t offer IPv6. It was designed so larger businesses with 10 machines could access the internet without spending a lot of money on a /30, not to replace firewalls, and it still works well for what it’s designed to do.
Understood. CG-NAT has been so annoying, I would love for IPv6 to completely replace v4 ASAP
You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.
Edit: BTW–every time I see this response of “NAT can prevent external access”, I severely question the poster’s networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it’s the way home routers present the interface that leads people to believe the two functions are intertwined when they aren’t.
I didn’t mean prevent, just makes it harder by default. You can still open connections from within the NAT
Edit: I do admit to failing at accessing my IPv6 PC from my IPv6 phone
Edit2: apparently NAT is full of security bugs
If your home router blocked incoming connections on IPv4 by default now, then it’s likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.
I figure the mobile carrier was blocking incoming connections to my phone. This was a couple of years ago, things might have changed since then.
Yeah, no. If remote hosts could not send traffic to hosts behind NAT almost nothing would work.
The hacks employed to make NAT work make security worse, not better.
You’re talking about NAT traversal? We do have control over which we apps we run though?
Edit: apparently NAT is full of bugs