Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?

  • Snot Flickerman@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    18
    ·
    edit-2
    10 months ago

    EDIT: Quoting @[email protected] from elsewhere in the thread because they summed it up beautifully:

    NAT provides some security by sheer coincidence and not by design.


    NAT is not security.

    NAT is a stop-gap measure because there aren’t enough IPv4 addresses that exist in the world. NAT was created so multiple Local Area Networks all over the world could use the same IP numbers and not end up with IP conflicts.

    Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.

    To give you an idea, IPv4 came out in 1980 and it wasn’t until May of 1994 that the first RFC on NAT was published.

    IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don’t recall, it’s a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.

    The thing is, it’s come full circle and IPv6 now is the same as IPv4 used to be and you can access a “local” IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it’s called a Global Unicast Address, but it’s been a minute, so don’t quote me on that)

    I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.

    Further, it’s not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.

    Obligatory South Park Ski Instructor:

    https://en.wikipedia.org/wiki/Network_address_translation

    https://en.wikipedia.org/wiki/Internet_Protocol_version_4

    https://en.wikipedia.org/wiki/Internet_Protocol_version_4#Address_space_exhaustion

    https://en.wikipedia.org/wiki/IPv6_address

    https://en.wikipedia.org/wiki/IPv6_address#Unicast_addresses

    • kevincox@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      ·
      10 months ago

      it is simply Security Through Obscurity at best.

      I think this is a bit too strong. The bit about NAT that people associate with improved security is that it acts as a stateful firewall. This basically means that it allows outbound connections not inbound connections.

      A preventing inbound connections does provide a meaningful reduction in attack surface. No longer is every vulnerability scan on the internet going to probe your machine and it is going to be much harder for a remote attacker to get access.

      However there are two main flaws:

      1. Stateful firewalls are not perfect filters of incoming connections.
      2. Local devices still have full access to your device.