On Jan 12, 2011, at 7:23 PM, David Barak wrote:
I hesitate to venture into this thread, but while Owen is correct in the general case ("NAT qua NAT provides no more security than a stateful firewall"), there is a corner case in which security is improved via NAT. The case is that of an enterprise network which uses 1918 addressing for all internal hosts, and uses proxies or other bastions as middleboxes to relay outbound communication.
The security provided is that in the event of an accidental bridging of "inside" and "outside" networks (i.e. engineer plugged a cable between the wrong two switches), the hosts will not be able to initiate communication with Internet hosts. Additionally, this same resiliency to accidental bridging does mean that the enterprise has a smaller number of possible Internet-facing machines, and thus can spend the time and effort to make them more robust.
That benefit is not huge (and not relevant to the typical home user, who is not configuring a super-duper scanning proxy server), but it does exist, and it certainly fuels some of the pro-NAT feeling I've encountered among customers. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
If you are proxying everything, then, there isn't any actual NAT. There are inside sessions and outside sessions. In that case, your security comes from the disconnected addresses and the proxy that sits in the middle interfacing every outside session with its related inside session. No packet is forwarded from inside to outside with only the address and port fields mangled. Each session is a separate and distinct interior and exterior session. There is a state machine between the internal client and the proxy server and a separate state machine between the external server and the proxy client. Separate sets of sequence numbers, etc. I am not denying that you may be able to get some additional isolation by having network numbers that aren't routable on the outside world if you don't have NAT. I'm saying that if you have NAT, it doesn't add to your security. Owen