Any given layer of security can be breached with expense and effort.
Breaching every layer of security at the same time is more challenging
than breaching any particular one of them. The use of NAT adds a layer
of security to the system that is not otherwise there.


Think of it like this: you have a guard, you have a fence and you have
barbed wire on top of the fence. Can you secure the place without the
barbed wire? Of course. Can an intruder defeat the barbed wire? Of
course. Is it more secure -with- the barbed wire? Obviously.

Bill-

In a security context, NAT/PAT only provides *obfuscation* of the internal numbering and source ports of the networks on the inside of the NAT/PAT device. "Security by obscurity" is a well debunked maxim by now. Any perceived benefits that obscurity provides are gone as soon as the information attempting to be hidden can be discovered, or the methods by which it functions are known. It may slightly deter the lazy, but techniques to discover the otherwise 'hidden' numbering and port usage have existed for decades. 


On Fri, Feb 16, 2024 at 10:28 PM William Herrin <bill@herrin.us> wrote:
On Fri, Feb 16, 2024 at 7:10 PM John Levine <johnl@iecc.com> wrote:
> If you configure your firewall wrong, bad things will happen.  I have both
> IPv6 and NAT IPv4 on my network here and I haven't found it particularly
> hard to get the config correct for IPv6.

Hi John,

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.

That it's possible to breach the layer of security added by NAT does
not contradict the claim that NAT enhances network security.

Any given layer of security can be breached with expense and effort.
Breaching every layer of security at the same time is more challenging
than breaching any particular one of them. The use of NAT adds a layer
of security to the system that is not otherwise there.


Think of it like this: you have a guard, you have a fence and you have
barbed wire on top of the fence. Can you secure the place without the
barbed wire? Of course. Can an intruder defeat the barbed wire? Of
course. Is it more secure -with- the barbed wire? Obviously.

Regards,
Bill Herrin

--
William Herrin
bill@herrin.us
https://bill.herrin.us/