Sign in Subscribe

Why NAT isn't a security boundary

Last updated on 

Every now and then I see this question come up. Particularly when someone references the question in ISC2's CISSP exam. So why isn't NAT a security control? It can form a barrier, right? The answer is, it's not actually that simple. But first, some background.

What is NAT?

Network Address Translation (NAT) is a technique used to modify IP addresses, often changing them from a public address to a private one, though it can also handle conversions between private-to-private and public-to-public addresses. It can even work in reverse.

One of the primary uses of NAT is in environments like Demilitarized Zones (DMZs), where devices typically have private IP addresses but reside on a different subnet from the core network. This allows for efficient use of IP addressing, saving valuable public IP addresses while maintaining network security.

NAT is commonly implemented on firewalls and routers, helping manage the flow of data between different parts of a network and ensuring secure communication across various address spaces.

NAT comes in several types, each serving different purposes depending on how and where IP address translation is needed. Here are the most common types of NAT:

1. Static NAT (One-to-One NAT)

Static NAT creates a one-to-one mapping between a private IP address and a public IP address. This means that a specific internal device (with a private IP) always uses the same external (public) IP address when communicating with the outside world. This type of NAT is typically used when external access to a particular device is needed, such as hosting a web server or email server in a DMZ.

  • Use case: Hosting services like websites where a fixed public IP address is required.

In terms of security, this type of NAT performs no restriction on the packets flowing through the router. It also doesn't hide anything other than the private IP address in use, and the device in the DMZ is fully accessible, unless limted elsewhere.

2. Dynamic NAT (Many-to-Many NAT)

Dynamic NAT maps a private IP address to a public IP address, but it uses a pool of available public IP addresses. When a device on the internal network tries to communicate with an external destination, the NAT device selects an available public IP from the pool to assign to the internal device. Once the session is complete, the IP address is returned to the pool for reuse.

  • Use case: Ideal when a network has more devices than public IP addresses available, but each device doesn't need a fixed public IP.

In terms of security, this type doesn't restrict any of the data. When connections are established, they do hang around, so there is the potential for reuse by a bad actor. This threat is reduced by the changing of the IP addresses in the pool.

3. Port Address Translation (PAT)

Also known as Overloading, PAT allows multiple devices on a local network to share a single public IP address. It works by differentiating each device's communication through unique port numbers, so the router can track the traffic associated with each internal device. PAT is commonly used in home networks and small businesses, where many devices share a single public IP address.

  • Use case: Home networks or small offices where many internal devices need internet access but only one public IP is available.

This is the type that most people have in mind when they think of NAT and when they think it acts as a boundary. Yes, it is very good at obfuscating the ports in use, but the connections are still there and the mappings still hang around. Typically with this type of NAT, if you aren't only allowing traffic that has originated from inside your network via a firewall rule, you could be in for a bad time.

4. NAT Loopback (Hairpin NAT)

NAT Loopback, or Hairpin NAT, allows devices inside a network to access services using the public IP address that is exposed to the internet. This is particularly useful when you want to access internal servers via their public IP address, even from within the same network. This type of NAT ensures that traffic directed to the public IP of the device is correctly looped back to the internal network.

  • Use case: Accessing an internal web server using its public IP address from within the network.

5. Bidirectional NAT

Bidirectional NAT is the inverse of traditional NAT in a sense that it maps a pair of IP addresses and port numbers from private to public, and vice versa. This is useful when a network needs to establish two-way communication between two separate networks or with an external service while keeping the private addresses hidden.

  • Use case: In environments where secure, bidirectional communication with external networks is required, but the internal network needs to remain hidden.

Each of these NAT types serves a specific purpose and offers various levels of control over how private and public IP addresses are handled, ensuring efficient and secure communication across different networks.

So How long do these NAT Translations stay for?

The duration of NAT translations depends on the type of NAT being used and the specific settings configured on the router or firewall. However, in general, NAT translations are temporary and exist only for the duration of an active session or connection. Here's a breakdown of how long they typically last for different types of NAT:

1. Static NAT

Static NAT creates a permanent one-to-one mapping between an internal (private) IP and an external (public) IP. These mappings remain constant and do not expire unless manually changed or reconfigured. The translation stays active as long as the mapping is valid or until the network administrator decides to modify it.

  • Duration: Permanent until changed manually.

2. Dynamic NAT

Dynamic NAT uses a pool of public IP addresses and assigns one to a private IP address when needed. The translation lasts as long as the session remains active. Once the session ends (e.g., the internal device finishes its communication or times out), the translation is removed and the public IP address is returned to the pool.

  • Duration: The translation lasts for the duration of the session. Once the session ends, the translation expires and the public IP is released back into the pool.

3. Port Address Translation (PAT)

PAT (also known as overloading) uses a single public IP address but differentiates traffic by assigning different port numbers. Each translation (or connection) is tracked by the NAT device, and the translation remains active for the life of the connection. When the connection is closed or idle for a set period, the translation is removed.

  • Duration: The translation lasts for the duration of the connection. If a connection is idle for a prolonged period, the NAT entry will time out and be removed. Typical timeout periods can range from a few minutes to several hours, depending on configuration.

4. NAT Timeouts and Aging

NAT devices often have a timeout or aging mechanism in place to automatically remove translations that are no longer active. These timeouts can vary widely, depending on factors like:

  • The device (router, firewall) in use.
  • Configuration settings for idle timeouts.
  • The specific type of traffic or session.

For example, most routers might set a timeout of around 5 minutes to 1 hour for idle connections. However, high-traffic services or sessions with more frequent activity might have longer timeouts.

Configurable Timeout Settings

  • TCP Connections: Timeout is usually longer because TCP connections are stateful and involve handshakes and session tracking.
  • UDP Connections: UDP is stateless, so the timeout is often shorter, as the device doesn't maintain as much state information.

Summary

In summary, the duration of NAT translations varies:

  • Static NAT: Permanent, until manually changed.
  • Dynamic NAT: Until the session ends, then the translation expires.
  • PAT: For the life of the connection; idle connections may expire after a set period (usually configurable).

In the absence of other controls to help reduce exposure even further, NAT is at best a method for obfuscation. While obfuscation should always be part of a good security strategy, it should not be the security strategy. Additional controls such as limiting ports and possibly traffic interception add a lot more.

As an Amazon Associate I earn from qualifying purchases.

If you have found this post useful, please consider donating.