Security's Everyman

Security's Everyman

Sunday, February 25, 2007

Is NAT Security?

A few days back I posted about how Cable ISP's should have NAT on their cable routers instead of just assigning a public IP directly to the PC that connects to the modem. Apparently many of you have taken that to mean that I believe that NAT is a security feature in itself. Well, I do believe that NAT does help to make you more secure, but IT IS NOT a security measure. I would not trust NAT alone to secure my PC. Neither would I trust a firewall alone to secure my network.

I believe that NAT has it's place in securing a network whether it is at home or at work. Would you rather have all of your endpoints assigned a public address or have them be "hidden" behind a NAT device and therefore not directly accessible from the internet? I've never heard of a private address being attacked from the internet unless either there is a vulnerability at the edge that is exploited or the user does something that gives the attacker access to the machine. If it is just "sitting there" it is pretty safe. A PC that has a public IP address that is just "sitting there" is open to attack.

Someone brought up the point that lots of NAT devices are running older, unpatched versions of Linux and that they are vulnerable more so than a fully patched PC. That may be so, but most exploits are aimed at PC's and not home based NAT devices. I still feel more comfortable with the extra layer that NAT gives me. No I don't think it is a security measure in itself, but I do think that it is useful to "help" keep you more secure.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.