Does NAT provide security?
Solution 1:
NAT allows a certain type of security, in that people outside of your network can not initiate connections to the inside of your network. This cuts down on worms and other classes of malware. This helps some.
Things it doesn't help:
- Other malware from the outside. Viruses, drive by browser hijacks, trojans.
- Any attack from the inside. If any computer is compromised internally, they have free rein on your other computers.
It is not a firewall.
- Firewalls can block traffic both directions. This can help block malware from connecting to control computers, or downloading new code. But this needs to be configured.
- Firewalls can be configured to log what they block, NAT isn't blocking anything, nothing to log.
- Firewalls can block specific IP addresses from attacking your network. NAT is pretty much all (you configure port forwarding to a server in your internal net) or nothing.
- A good firewall can rate limit, mitigating some DOS attacks. NAT, still all or nothing.
- Probably other cool stuff, since I haven't kept up with firewall cool features in a while.
So, you still need firewalls on all internal computers, because if anything is compromised, it can take over anything else in your network. Remember that terms like worms, viruses, trojans don't mean much anymore. Any malware can download a big payload and then use multiple attack vectors inside your network. IE zero day exploits can compromise one computer on your net, and take down it all.
So, the point is, it does provide a subset of security on a specific direction, but it doesn't mean you can be less secure about anything else. You still need to do best practices about everything else, so most people say it doesn't give any security, which is confusing because it does provide some.
Solution 2:
Primarily, NAT is a fix for the IPv4 shortage issue. As a side benefit it limits access to internal machines which provides a firewall-like function.
All the NAT routers I've used (home use only) have also had a firewall built in. If yo decide not to NAT you still need a firewall because all your internal machines are exposed without one.
Solution 3:
NAT is not a security feature.
To prove this to yourself, visualize a NAT router without a firewall. Every external port that was used by an internal machine is simply left open.
A NAT setup like this would provide no security because anyone on the outside could just connect to your internal ports through the last external port you used.
As a matter of fact, UDP is already implemented like that because there is no connection for the NAT gateway to track. Okay, I lied a little bit because the UDP is limited to receiving from the last IP that was sent to. But to scare everyone, back when NAT was new some vendors didn't get this right and the UDP ports were open to the world.
So what provides the actual security in a NAT gateway is not the NAT but is the stateful firewall.
The comments claiming that I am wrong keep confusing the firewall with the NAT operation. They have obviously never played with an older router (1998'ish) that simply assigned port mapping based on a packet trigger. These routers had no state tracking and no firewalling, yet they were implementing NAT. Without security. Which is my point.
Solution 4:
This topic is really interesting - thank you for asking Neth.
Here's my thought - NAT being a security feature is really a tangential benefit. It's main purpose is to share a single IP across multiple systems. There are situations like when you buy the cheaper Comcast internet, they only give you a single static IP address. That means to have multiple systems online simultaneously, your router has to manage them through NAT.
I appreciate the security fear of it, but everyone above is right - security is based on your firewall, not your NAT setup.
There are interesting/cool options to look into if security is your thing.
1) Do the basics first - check your router for firewall settings. If it doesn't have anything worthwhile, google it and see if you can flash it with DD-WRT (open source and bad a$$ router OS).
2) Abstract your IP address through (a) Running anything private within a virtual machine on your system (b) using a proxy server or service like the Cocoon add-on for FF (c) Installing Tor.
This kind of thought can go on for a while, so I'll leave it at here for now. Godspeed in protecting yourself online.