Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.
The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.
Take for example this scenario:
You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.
Another scenario:
You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.
Take for example malware has been known to spread via Minecraft.
Great explanation! I didn’t know anything, now I know something. 🙏
IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?
Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.
Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.
As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.
I’d imagine that’s true for most people at home.
I haven’t setup an IPv6 network yet, but it’d have to physically traverse the packet through your router to reach the connected device still. I imagine a router would still be able to use it’s firewall to drop the packet before it gets sent to the endpoint device.
The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There’s still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn’t make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn’t have to be translated to a different IP.This also means I can have multiple hosts on my home network listening on the same ports, because their public IP’s are different.
EDIT: Quoting @Kid_Thunder@kbin.social from elsewhere in the thread because they summed it up beautifully:
NAT provides some security by sheer coincidence and not by design.
NAT is not security.
NAT is a stop-gap measure because there aren’t enough IPv4 addresses that exist in the world. NAT was created so multiple Local Area Networks all over the world could use the same IP numbers and not end up with IP conflicts.
Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.
To give you an idea, IPv4 came out in 1980 and it wasn’t until May of 1994 that the first RFC on NAT was published.
IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don’t recall, it’s a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.
The thing is, it’s come full circle and IPv6 now is the same as IPv4 used to be and you can access a “local” IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it’s called a Global Unicast Address, but it’s been a minute, so don’t quote me on that)
I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.
Further, it’s not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.
Obligatory South Park Ski Instructor:
https://en.wikipedia.org/wiki/Network_address_translation
https://en.wikipedia.org/wiki/Internet_Protocol_version_4
https://en.wikipedia.org/wiki/Internet_Protocol_version_4#Address_space_exhaustion
https://en.wikipedia.org/wiki/IPv6_address
https://en.wikipedia.org/wiki/IPv6_address#Unicast_addresses
it is simply Security Through Obscurity at best.
I think this is a bit too strong. The bit about NAT that people associate with improved security is that it acts as a stateful firewall. This basically means that it allows outbound connections not inbound connections.
A preventing inbound connections does provide a meaningful reduction in attack surface. No longer is every vulnerability scan on the internet going to probe your machine and it is going to be much harder for a remote attacker to get access.
However there are two main flaws:
- Stateful firewalls are not perfect filters of incoming connections.
- Local devices still have full access to your device.
Security from what? Get a threat model.
A NAT will restrict connections from the internet, but won’t stop attacks from your local network. As your network grows, it might be a good idea to isolate shitty IOT devices (firmware is often full of holes), home internet and sensitive devices like cameras.
There are also issues like NAT hole punching and guessed port attacks that can get through NAT. This typically isn’t a major problem because actually getting a connection will be very difficult but if your NIC or kernel has a bug it may be possible to trigger it with a packet or two.
Removed by mod
This is true and typically called “Next Generation Firewall” or “Intrusion Prevention System”.
However, these have three disadvantages:
- They rely on signatures and many vendors only provide these with an active, costly subscription
- They add complexity and possible error sources and false positives.
- They require processing power and can easily reduce throughput by 90%.
These systems are quite common in enterprise scenarios, but AFAIK the exception in home labs and selfhosting environments.
As I understand it, NAT is a firewall with only a very basic configuration: allow all outbound and accept only established inbound. If you don’t expect to have any incoming connections and completely trust all your internal devices then its good enough.
However, if you start wanting to port forward for servers (SSH, FTP, video games) you need to poke holes in the NAT firewall and it has no additional configuration options to help you. The same goes for if you have internal (ex. IoT) devices that you don’t necessarily trust, there are no rules to block outbound traffic.
As I understand it, NAT is a firewall
NAT is not a firewall. NAT does not inspect packet payloads, it doesn’t do anything except attempt to route packets to where they are supposed to go. If the connection originates from outside or it is a ‘connectionless’ protocol, the NAT has no idea which internal IP to route to, so it drops the packet.
NAT provides some security by sheer coincidence and not by design.
There are several ways to evade NAT. Your router may or may not block those, on a case by case decision. You must know really well how it will behave to have any confidence that you are secure.
Or, in other words, NAT isn’t a security feature because it’s not built to provide security. It may be intentionally broken so your home network works better, and it may have obvious security flaws that nobody looked after. For network security, you should use something intended to give you network security.
Because you need a firewall to block and control traffic. Its the same way with vlans.
For incoming traffic on IPv4 only, NAT technically is fine. But it won’t block any outgoing traffic, and IPv6 doesn’t use NAT at all.
IPv6 can use NAT; there are some unfortunate souls out there whom are only getting a /128 (one address, basically) by their ISP, instead of a /64 or /48
and IPv6 doesn’t use NAT at all.
Not entirely true! It uses a type of NAT to translate IPv4 addresses into comparable IPv6 addresses.
For context for other readers: this is referring to NAT64. NAT64 maps the entire IPv4 address space to an IPv6 subnet (typically 64:ff9b). The router (which has an IPv4 address) drops the IPv6 prefix and does a normal IPv4 NAT from there. After that, you forward back the response over v6.
This lets IPv6 hosts reach the IPv4 internet, and let you run v6 only internally (unlike dual stack which requires all hosts having v6 and v4).
Will you let the fortune tell if your network is safe or not?
Why don’t configure your nftables, iptables, UFW, firewalld or whatever to be redundant? It’s not like it consumes much more resources from your system
Maybe there is an exploit to your router that enables the hacker to access your full network. Maybe there is a glitch in your router that bypass the NAT. Maybe someone can access other devices from another source rather than the router connection (for example, it connects properly into the service, but this service has a flaw that allow full control over your network).
If a device is connect to the internet, it is somehow vulnerable. The safest machine is that one disconnected from the internet and preferably turned off.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IP Internet Protocol IoT Internet of Things for device controllers NAT Network Address Translation SSH Secure Shell for remote terminal access UDP User Datagram Protocol, for real-time communications
5 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.
[Thread #546 for this sub, first seen 26th Feb 2024, 16:15] [FAQ] [Full list] [Contact] [Source code]
You don’t know what your ISP-provided router does exactly. It may let some traffic through from the outside. It may get an over-the-air firmware update or config change at any time from your ISP. It definitely has well-known, unfixed vulnerabilities.
Also, if you rely on NAT, you have to have 100% trust in all devices that are inside your network.
deleted by creator
It actually kinda is. Is someone trying to sell you into a firewall?