Listed on

Why NAT is not a security mechanism

All too frequently I see articles that refer to Network Address Technology (NAT) as a security mechanism. Let us be clear NAT has nothing to do with strengthening security and an awful lot to do with weakening it.
So what does NAT actually do? It is a translation service that takes connection attempts from one IP address and maps them to another IP address. The secret sauce is that it manipulates the port numbers to keep different connections separate and maintains a database of these port changes. If this doesn’t sound strait forward - you would be right. It also always adds a path that did not exist before to services behind the NAT. Every extra path adds a security requirement for checking, and a complex translation mechanism increases the difficulty of checking that path.

So why do people confuse the NAT mechanism with a security mechanism? There are several reasons:
  1. Typically NAT is associated with the use of Private IP addresses and Un-routable ranges - arguably good for security because what you can’t talk to can’t leak. NAT provides a selective mechanism to connect the un-routable.
  2. Typically NAT is also deployed on a firewall. Firewalls selectively permit traffic - they allow security policies to be implemented.
  3. Finally, to use NAT traffic has to be routed to the NAT box concentrating traffic - a network topology that simplifies the implementation of security policies
The last two reasons (b and c) actually have nothing to do with NAT, they are separate security considerations. Reason (a) introduces a new complex mechanism that requires verification that connects things which were previously unconnected.

NAT is now a vital component in networking in IPv4 due to a shortage of non-private addresses, but in and of itself it is not a security technology, instead it is a networking technology primarily necessary to address a deficiency in address space. It is a non-trivial mechanism with several implementations - although it is essential in many circumstances it does not aid security.