NAT: A False Sense of Security
By William "Scott" Beall
Systems Analyst and Network Administrator,
Innofone.com, Inc.

An Argument Against NAT's “Security through Obscurity”
One of the main arguments against the deployment of IPv6 is that we would lose the “security though obscurity” that Network Address Translation (NAT) claims to provide. These opponents claim that NAT provides security through the use of private addressing behind NAT devices. But I disagree — I believe that NAT, in itself, has no security, it restricts and limits the usability of the devices behind it, and it gives a false sense of protection. The NAT that I will be discussing is Static NAT with overloading, as used in commonly found home networking NAT routers — it is also known as Network Address Port Translation (NAPT).

In the first five years of public access to the Internet (1992 to 1996), most users and applications did not need to provide for inbound connections. Internet providers even frowned upon this type of access. If you did need these services, you would usually purchase space on a dedicated server that had a static Internet address. Many people only had one shared computer at home, and few other devices needed to access the Internet. In the next five years (1997 to 2001), a revolution occurred — widespread use of the Internet by all industrialized nations, telecommuting, and distributed file sharing emerged, along with the affordability of personal computers and networking devices. This led to a computing boom, where many houses now have more than one computer connected to the Internet. Address allocation became more restrictive, and the movement to conserve Internet addresses occurred. Now we are nearing the 15th year of public Internet use, and the advances in distributed computing, mobile technology, and computer use in common household items have exponentially increased the demand for inbound Internet connectivity. IPv6 provides the inbound connectivity, the ability to authenticate and identify friends and foes, and will allow ubiquitous computing.

NAT – Under the Guise of Security
NAT allows multiple computer outbound access to the Internet through one allocated Internet address. It allows incoming requests, based on the port requested, to access a service located at only one computer behind it. Its popularity emerged from the need of users to be able connect multiple computers outbound to the Internet. Inbound connections are severely restricted and are done through a limited port mapping table in the device. Manufacturers claimed that outbound connections were more common than incoming connections and restrictions of incoming connections were a security feature. To me this is not a feature, it is a restriction of the user that prevents the full access to his or her computers via the Internet.

Internet service providers helped perpetuate this myth by denying end users the ability to run their own web and mail servers. Various reasons were given for these restrictions:

1. The users do not have enough knowledge of how to control their computers.
2. It is a security risk to the ISP itself.
3. Mail ports may be used for spam.
4. The ISP cannot control content on the servers not in their direct control.

When you purchase a connection to the Internet, many times common service ports are blocked from access by the Internet provider. Internet addresses were predicted to run out, and the Internet Corporation for Assigned Names and Numbers (ICANN) demanded that strict conservation of address allocation should begin. Static Internet addresses became a valuable commodity, and Internet service providers charge extra if you want a static address. If you want multiple static addresses, you will have to purchase a business account. In ideal address allocation, every device that connects to the Internet should have its own Internet address, and not have to share an address with other devices. IPv6 was designed to precisely solve this address allocation shortage problem.

NAT, dynamic DNS services, and various other programs allowed clever users to bypass the restriction set upon them by the ISPs. So, NAT became a commonly used device. In this development of the NAT, users found that they could not access many of their computers behind these devices and started making claims that by putting devices behind a NAT, it would effectively limit the access to those devices — they believed that this was a form of security. Resistance to change (which is well documented and studied in the recent literature on change management) has generated excuse after excuse in countering the need to transition to IPv6. "Security through obscurity" is one of the more popular of these excuses, and can be commonly heard.

NAT – Many to One, but Not Many to Many
NAT only allows inbound mapping to one computer per port request. These are configured by the user in the NAT itself. If you were to try to run a web server behind a NAT, the requestor goes to the NAT's public address, and by default to port 80, and can only direct the request to one server. It is difficult, and in some cases impossible, to change the port requested by the client application. For example, web browsers make requests to port 80. You can specify the port at the end of the URL with a colon and a port number. So, if you wanted to connect to http://www.usipv6.com, it would by default go to port 80. You can manually specify the port number like this: http://www.usipv6.com:80, and it will go to the same place. But to configure access to another computer, you would have to change the port that the server is running on, put a port mapping into the NAT device, and then tell your users to manually input the port number at the end of the URL or to reconfigure their client every time they wanted to access the resource at the server behind the NAT. The new URL would look like this: http://www.usipv6.com:8086 (note that there is no server running at this address at this port number, and you will not reach anything).

Figure 1 – NAT only allows mapping to one computer per port, and limits your ability to map more than a handful of devices.

For example, if you have an organization that wants to run a distributed file sharing service on multiple computers to port 6346 (Gnutella) behind a NAT gateway, and have all these services accessible from the Internet, it would be difficult (but not impossible). Using commonly found NAT devices, it is not possible, using the default port required of the application. More complex configurations and administration would allow you to configure each computer to have the application run on a different port than the default port, and then assign the different ports to each distinct computer in the NAT device if there is room in the port mapping area of the NAT.

NAT, In Itself, Does Not Provide Security
The first personal NAT routers were low-featured devices. They had the ability to map 8 or 10 ports to up to 4 directly connected computers. These came with no firewall. Initial claims by the device makers touted some degree of security through obscurity due to the non-routable internal network addresses that were assigned to each computer connected. This was not the case. Computer criminals, spyware authors and other unscrupulous programmers found ways to install unauthorized programs onto computers that were connected to the Internet through a NAT that would cause the computer to make outbound connections through the NAT, thereby defeating the NAT devices’ claims of security through obscurity. Improperly configured services that allow inbound connections also faced direct attack, and these quickly became targets of malicious worms. Default settings in commonly used operating systems helped perpetuate the problems.

Figure 2 – Infected computer has access to all other computers on the network segment.

Current NAT devices usually have a small 5-port physical switch and a wireless interface that can connect upwards of 50 devices to a single public IP. Since the manufacturers realized that that private addressing alone was not a security feature, they started to include a firewall in the NAT device. Configuration became more complex. With the addition of the wireless interface, and the inability of many users to configure the devices, NAT routers became open access wireless gateways to the Internet to anyone with a wireless device. A new type of intruder now emerged. Criminals quickly realized how to access these open wireless networks, and used the improperly configured NAT devices to access Internet connections without the owners' permission. This left the connection owners liable for the illegal acts originating from their Internet connection. Does this sound like effective security through obscurity?

Figure 3- Unauthorized Wireless Access to your network is common. Hackers appear to be coming from your network.

NAT advocates can argue that the manufacturers quickly made changes to the default settings to prevent many of these occurrences, but if you look at the history of the security protocols used in wireless devices, you can see that the hackers found ways to quickly defeat the security measures of such devices. This led to the need for stronger and better encryption and increased security. Since configuration became more complex, many users still will not take the time to properly configure their wireless devices. A Washington University class mapped Seattle access points and generated maps showing detailed information on status, unsecured or secured, on private wireless access points. All the maps show a majority of wireless points to be insecure — and open to use by anyone. You can view these maps at: http://depts.washington.edu/wifimap/maps.html.

NAT is not a Firewall
As the numbers of security breaches have increased over the 14 years that the Internet has been publicly accessible, NAT manufacturers have now included firewalls in all currently available NAT routers. Viruses, worms, and Trojan horses have wreaked havoc on end users. If NAT was secure in itself, why have the manufacturers included firewalls in every single NAT device on the market? Why has spyware and malware risen to epidemic proportions, even though there is widespread use of NAT devices? Security through obscurity must not have been enough!

Operating system manufacturers have had so many problems with their systems being insecure while being connected to the Internet that all have added packet and port filtering firewalls to their new releases of operating systems. Third party software manufacturers have taken advantage of this problem by creating automatic firewalls that detect outbound activity and allow the user to make a decision to allow a particular application to access the Internet. The most common applications that are used to connect to the Internet are web browsers. Web browsers have been responsible for allowing criminals to connect into computers more than any other application. Web browser manufacturers have found that clever hackers seem to be one step ahead of their security features — for every security hole they fix, hackers find two more. This has further rendered NAT, in itself, to be insecure.

Ubiquitous Computing – Stalled By NAT
To get around the limitations of NAT, application developers have had to create client-server applications that act as a client and a server. To get around NAT, these programs continuously broadcast their presence to other servers or to a central server. In distributed supercomputing applications, programmers have had to take into account that many resources may be behind a NAT, so they had to create clients that poll a controlling server to let it know that it is available. IPv6 opponents argue that these polls are small and insignificant. But, taken as a whole, they waste computing and network resources that could be used for better purposes. As hardware becomes more advanced, and individual components have their own network stacks, the need for ubiquitous access grows. For example, the Folding@Home protein folding project uses distributed computing to gain access to unused computer resources to try to solve protein folding problems to create cures for disease. NAT puts an undue burden on the ability to allow inbound connections to any computer at any given time. Resources that we take for granted may be inaccessible behind a NAT. IPv6 will hopefully make such limitations a thing of the past.

Fig 4. IPv6 Router and Firewall Combination allows ubiquitous access to your network.

Firewalls, network routing, and IPv6
Security through obscurity is a misnomer. Obscurity is not security. Criminals use scanning techniques that search for poorly configured devices. NAT does not provide any checks, commands, and processes that prevent commonly used techniques that allow hackers to penetrate insecure computers. This has been proven by the history of NAT devices — originally made with no firewall, then made with a firewall but no wireless security, and now with advanced firewalls and stronger wireless security. As each of these devices are designed and brought to market, and as the criminals have found ways to defeat these security features, manufacturers continue to scramble to add new ways to protect the computers behind NAT devices.

In a secure network, administrators tightly control all aspects of access to services, to machines, to ports, and to applications. Initial network design usually entails configuring routers, VLANs, firewalls, and VPNs. One of the most important steps to securing a network is deciding what services will be available to the outside world and what services need to be protected. This is accomplished with a combined employment of firewall, network segmentation with routers, enforcement of security policy, antivirus protection, and restrictions that control and authorize access to a particular network.

Figure 5. Controlled network with IPv6 Router and Firewall.

Security is a combination of policy and implementation. Any device connecting to the Internet will need a firewall to prevent incoming attacks. All systems on the local network will need to be monitored, administered, and have security updates and patches installed on a regular basis. A properly configured IPv6 router will allow more accessibility with higher security than NAT. Careful control of resource access through the router is essential to security. In contrast to NAT, with a properly configured router, you can allow or deny access to ANY address. With this in mind, your computing resources are under your complete control, to use as you like.

Figure 6. Properly configured IPv6 Router with Firewall to allow authorized access to any computer while denying access to unauthorized users.

Computers must have personal firewall, antivirus and anti-spyware utilities, and up-to-date system security patches.

Summary:
NAT tries to hide devices behind non-publicly routable Internet addresses. As I have demonstrated, NAT has little security in itself. NAT severely restricts inbound access to computing resources while not completely preventing unauthorized access. It has allowed many systems to be compromised through poor configuration or poor design. “Security through obscurity” is a misnomer. Good security is a combination of effective system configuration, routing, firewalls, and use policy. It is not a function of hiding in obscurity and hoping for the best — “hope” should never be a plan or policy.

IPv6 routing, on the other hand, has more configuration control features. The complete feature set of an IPv6 router and firewall allow much more control over the network than NAT devices can. As more and more end users have IPv6 connections, IPv6 routers and firewalls will replace these outdated NAT devices. Eventually this will lead to robust ubiquitous computing, and we will have security through tested and proven security methods — and will no longer be misled by claims of "security through obscurity."