this post was submitted on 24 Jun 2024
687 points (97.9% liked)

Programmer Humor

32400 readers
315 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 4 months ago (3 children)

Why do you say NAT doesn't make a network more secure?

[–] [email protected] 8 points 4 months ago (1 children)

This article is biased to selling you more F5 equipment but is a reasonable summary:

https://www.f5.com/resources/white-papers/the-myth-of-network-address-translation-as-security

Long story short is that NAT is eggshell security and you should be relying on actual firewall rules (I wouldn't recommend F5) instead of the implicit but not very good protections of NAT.

[–] [email protected] 1 points 4 months ago (1 children)

What would you recommend? I have a client with some pretty old hardware (FVS 318) installed that I suspect is causing some issues on their network.

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

Honestly, these days I have no idea. When I said "wouldn't recommend" that wasn't an assertion to avoid; just a lack of opinion. Most of my recent experience is with Cloud vendors wherein the problem domain is quite different.

I've had experience with most of the big vendors and they've all had quirks etc. that you just have to deal with. Fundamentally it'll come down to a combination of price, support requirements, and internal competence with the kit. (Don't undermine the last item; it's far better if you can fix problems yourself.)

Personally I'd actually argue that most corporates could get by with a GNU/Linux VM (or two) for most of their routing and firewalling and it would absolutely be good enough; functionally you can do the same and more. That's not to say dedicated machines for the task aren't valuable but I'd say it's the exception rather than rule that you need ASICs and the like.

[–] [email protected] 6 points 4 months ago (1 children)

It wasn't designed for a security purpose in the first place. So turn the question around: why does NAT make a network more secure at all?

The answer is that it doesn't. Firewalls work fine without NAT. Better, in fact, because NAT itself is a complication firewalls have to deal with, and complications are the enemy of security. The benefits of obfuscating hosts behind the firewall is speculative and doesn't outweigh other benefits of end to end addressing.

[–] [email protected] 1 points 4 months ago (3 children)

The main benefit of a NAT is that by default it prevents all external access to the hosts inside the network. Any port you have open is not accessible unless explicitly forwarded.

This has a lot of security benefits. Regardless, everything you said is sounds true to me.

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

You can get exactly the same benefit by blocking non-established/non-related connections on your firewall. NAT does nothing to help security.

Edit: BTW--every time I see this response of "NAT can prevent external access", I severely question the poster's networking knowledge. Like to the level where I wonder how you manage to config a home router correctly. Or maybe it's the way home routers present the interface that leads people to believe the two functions are intertwined when they aren't.

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago) (1 children)

I didn't mean prevent, just makes it harder by default. You can still open connections from within the NAT

Edit: I do admit to failing at accessing my IPv6 PC from my IPv6 phone

Edit2: apparently NAT is full of security bugs

[–] [email protected] 2 points 4 months ago (1 children)

If your home router blocked incoming connections on IPv4 by default now, then it's likely to continue doing so for IPv6. At least, I would hope so. The manufacturer did a bad job if otherwise.

[–] [email protected] 1 points 4 months ago

I figure the mobile carrier was blocking incoming connections to my phone. This was a couple of years ago, things might have changed since then.

[–] [email protected] 1 points 4 months ago (1 children)

Yeah, no. If remote hosts could not send traffic to hosts behind NAT almost nothing would work.

The hacks employed to make NAT work make security worse, not better.

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

You're talking about NAT traversal? We do have control over which we apps we run though?

Edit: apparently NAT is full of bugs