casbooks.blogg.se - Is nat a firewall

However, an attacker is only able to do harmful activities if he has access to a device in the internal network. Administrators feel more secure if their network topology is hidden from the outside.

“NAT hides the internal network structure which keeps my network more secure from attackers since they do not know which systems are available.” –> I have often heard this sentence.I always present a short description of common NAT “security” considerations and then refute it: Here comes the actual discussion concerning the “security” features NAT adds to a network. With many Source-NATs and Destination-NATs, every intermediary firewall stores different IP addresses in its log files.

For vast installations, configuring and debugging connections that traverse several NAT devices is really difficult. (Refer to RFC 3027 “Protocol Complications with the IP Network Address Translator”.) To overcome this disadvantages, a few changes in the just mentioned protocols are proposed to use them also through NAT devices, called NAT traversal, e.g., IPsec NAT-T ( RFC 3947, 3948), passive FTP ( RFC 1579, 2428), etc.įurthermore, the usage of NAT adds a burden to all (network) administrators that have to configure and administrate it. For example, IPsec host-to-host tunnels cannot be used with NAT, the FTP protocol (active mode) does not work, VoIP (SIP) has troubles, and any other peer-to-peer protocols do not work out of the box if they need to establish connections to each other independently. The usage of NAT has several disadvantages, mainly because it breaks the end-to-end communication model which is essential for proper IP connections.

If enterprises use the same private IPv4 address spaces, they need NAT if they want to communicate through VPNs with each other.

Since the IPv4 address space in the global Internet gets exhausted, sites with many hosts can access the Internet through one single IPv4 address if they use NAT.

Note that when I am using the term “NAT”, I am usually referring to NAT with port translation, called PAT, NAPT, NAT overload, dynamic NAT, IP masquerading, many-to-one NAT, or the like. (You should already know this part when reading this post. To emphasize this thesis, here is a discussion: However, NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design. During my job I am frequently discussing with people why they use NAT or why they believe that NAT adds any security to their networks, mainly some obscurity as NAT (PAT) hides the internal network structure.