In a former post I pointed out that we need to think of obscurity as a tool in network security — that we shouldn’t try to apply rules that are perfectly logical in terms of algorithms to networks as a system. While I’m not normally one to repeat myself, this topic needs a little more thought, specifically in the area of Network Address Translation (NATs). Let’s look at the common argument in a bit more detail. Quoting from the ISOC Deploy 260 blog:
We can argue the merits of NAT, the end-to-end principle, and security until we’re blue in the face – and many have – but the reality is that NAT does not provide any real network security. Worse yet, it actually prevents many security measures and provides an additional attack surface for your network. The cause for much of this confusion stems from the fact that NAT requires state. By “state” I mean that the NAT device must remember which internal addresses to swap for which external addresses, and vice verse. This in turn means that any device performing NAT overload must act as a stateful firewall. … While the NAT may provide a bit of obfuscation, by hiding your internal addresses, it is really this stateful firewall function that protects your network from unwanted intrusion.
Before I start on my contrarian rant (I seem to be in a bit of a contrarian mood this week for some reason), a simple point — we need to stop saying, “firewall” to mean “a magical security device that does everything.” Perhaps the problem is that NATs and stateful packet filters have been bundled onto firewalls for so long that people somehow relate the two together (?), but stateful packet filtering and NAT really are two different things.
Now, back to the topic at hand… Okay — I will freely give you the point that NATs don’t block traffic coming into and out of your network. But this leaves me with a question that doesn’t seem to be answered anyplace.
Is filtering traffic the only security mechanism which exists in the real world?
In other words, are there no other useful security mechanisms in existence other than stateful packet filters?
It reminds me of standing in the wireless phone store picking up a new phone for my daughter. The salesman tried really hard to convince me of the security of the electronic side of the lock system that ties to your cell phone. He actually did a good job. But then I asked, “how secure is the physical backup lock?” He went on for a while about how it was high quality, etc. Then I pointed him to this web page. And then this one. End of conversation.
Look, I’m all for agreeing that NAT’s don’t block packets. And I understand that layering violations in the IP stack make them a bit of a mess to deploy (BTW, isn’t it a bit suspicious that folks who do poor protocol design are running around screaming not to put NATs in the network because it makes life difficult? Pot, meet kettle).
And still, knowing all of this, I deplore the idea that security resides wholly and completely in stateful packet filters, and that all other security measures (including, or perhaps especially, NAT) are useless on their face because they aren’t stateful packet filters. And before you post yet another response about how much you hate NATs, or how they really don’t provide security, or how they’re not secure, remember this:
Stateful packet inspection isn’t security.
Encryption isn’t security.
NATs aren’t security.
Security is a mindset of using a set of tools, each in their proper place, to get a specific job done. Sometimes hiding things isn’t really useful. Sometimes it is. Sometimes encrypting or signing things isn’t useful (see BGPSEC). Sometimes it is. Use intelligence in deciding which tool is useful for what and in what situation, rather than jumping on the “NATs are evil” bandwagon. Yes, I know NATs don’t block packets. And yes, I know what sort of comments this second post on the same topic is going to receive.
But, really — can we please, please, please, stop treating security like it’s a set of magical algorithms and processes that will protect everything all the time without us needing to think, make tradeoffs, and use every tool at our disposal — including, at the right time, and in the right place, NAT?
And since I know someone is going to ask — there is one specific thing I think NAT is useful for: creating a situation where the network connection fails with an open circuit rather than a closed one (or a closed door rather than an open one).