upvote

points

by NitpickLawyer5 hours ago |
comments
upvoteby throw0101a1 hours ago|
next
[-]
> I've only read that on HN, I've never heard this anywhere else.

Well-regarded networking architect, author, and instructor:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

> NAT works and passes the grandma test.

So does my Asus with a default deny IPv6 rule on incoming connections.

You're more likely to click on a link that installs malware that attacks your network from the inside, and that attack works regardless of IPv4 or IPv6.

Treating a firewall as some impenetrable moat has not been network security practice for a decade(+), and waving around RFC 1918 address space like systems with a 10.8 or 192.168/16 can't get infected is lazy thinking. It leads to complacency: I'm behind NAT, I'm safe.

reply
upvoteby kstrauser3 hours ago|
prev|
[-]
Grandma’s ISP can send RFC 1918 traffic to her router and likely be able to directly connect to every internal host. You should have learned in your CCNA training that NAT makes it harder to send inbound traffic to a system, but doesn’t by itself provide the filtering that a firewall does.
reply
upvoteby NitpickLawyer3 hours ago|
parent|
[-]
Right, I get that. I can see the ISP angle. But my question was specifically for outside attacks. Tangible, real-world threats in existing ISPs, reachable from the outside.
reply
upvoteby mlyle2 hours ago|
parent|
[-]
NAT was not designed as a security boundary. Sure, it may block some kinds of incoming traffic accidentally and as a side-effect disrupt some attacks.

But why would you rather have an always-broken network that might block attackers instead of a deliberate "deny incoming" rule that does exactly what you want -- and that you can punch holes in if desired?

Instead we have apps circumventing this accidental barrier with STUN, uPNP, etc with little/no oversight and we also regularly encounter brokenness.

reply