Monday, January 09, 2017

NAT is a firewall

NAT is a firewall. It's the most common firewall. It's the best firewall.

I thought I'd point this out because most security experts might disagree, pointing to some "textbook definition". This is wrong.

A "firewall" is anything that establishes a barrier between some internal (presumably trusted) network and the outside, public, and dangerous Internet where anybody can connect to you at any time. A NAT creates exactly that sort of barrier.

What other firewalls provide (the SPI packet filters) is the ability to block outbound connections, not just incoming connections. That's nice, but that's not a critical feature. Indeed, few organizations use firewalls that way, it just causes complaints when internal users cannot access Internet resources.

Another way of using firewalls is to specify connections between a DMZ and an internal network, such as a web server exposed to the Internet that needs a hole in the firewall to access an internal database. While not technically part of the NAT definition, it's a feature of all modern NATs. It's the only way to get some games to work, for example.

There's already more than 10-billion devices on the Internet, including homes with many devices, as well as most mobile phones. This means that NAT is the most common firewall. The reason hackers find it difficult hacking into iPhones is partly because they connect to the Internet through carrier-grade NAT. When hackers used "alpine" as the backdoor in Cydia, they still had to exploit it over local WiFi rather than the carrier network.

Not only is NAT the most common firewall, it's the best firewall. Simple SPI firewalls that don't translate addresses have an inherent hole in that they are "fail open". It's easy to apply the wrong firewall ruleset, either permanently, or just for moment. You see this on internal IDS, where for no reason there's suddenly a spike of attacks against internal machines because of a bad rule. Every large organization I've worked with can cite examples of this.

NAT, on the other hand, fails closed. Common mistakes shutdown access to the Internet rather than open up access from the Internet. The benefit is so compelling that organizations with lots of address space really need to give it up and move to private addressing instead.

The definition of firewall is malleable. At one time it included explicit and transparent proxies, for example, which were the most popular type. These days, many people think of only state packet inspection filters as the "true" firewall. I take the more expansive view of things.

The upshot is this: NAT is by definition a firewall. It's the most popular firewall. It's the best firewalling technology.

Note: Of course, no organization should use firewalls of any type. They break the "end-to-end" principle of the Internet, and thus should be banned by law.


Unknown said...

You are right.
Be reminded that ipv6 is a world without a NAT need.
And we are arrived in 2017 and we should design applications that are not
security/mobile/offline first they should be ipv6 first.

Dean Bushmiller said...

Your definition of firewall is incorrect. Firewall is anything that enforces a security policy of an organization. The only way that you were definition would be correct if there was no security policy.

NAT is not a firewall.

Where did you get your definition of a firewall?

Willie said...

I wrote a small piece explaining why NAT is NOT a Firewall.

Yury Schkatula said...

According to ipv6 mentioned by @Unknown, I'd like to remind that nothing forbids NAT. You can play in flat network model, you can hide some segments behind NAT or any other IP translation mechanics. Choice is yours.

Richard Hendriks said...

I suggest you follow Sans SEC511 and then rephrase your article, maybe i can then agree.. Else it just is nonesence. The best firewall implementation finds is a layered defence strategy, where nat/ napt also finds its part. But alone you almost have no security and you will be hacked.

Nicholas Partridge said...

Per Wikipedia, "a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules". NAT itself is nothing more than an address translation mechanism. True, a typical home router using NAT will have some inherent security benefits for the devices behind the NAT, but it does not apply any security or access control policy to the public IP itself. The IP that is NAT'd (typically a public IP) allows unrestricted access from the internet by default. It is just assigned to the router directly which is (hopefully) not running any publically facing service that is exploitable.

NAT used as a security mechanism is a crutch. With the proliferation of IPv6, we are moving towards a world where NAT will no longer be a requirement. In this case, actual security policies become more important. Remember, we are only using NAT, in the standard home user context, due to the scarcity of IPv4 addresses. It's better those outside InfoSec learn to distinguish between NAT and other IP manipulation and actual security policies.

Eddy said...

NAT does not allow inbound packets that do not match up with an outbound packet. It certainly does not allow "unrestricted access from the internet." It is not the public IP that is NATed, it is the private IPs that are NATed.