Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.
The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.
Take for example this scenario:
You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.
Another scenario:
You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.
IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?
Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.
Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.
As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.
The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There’s still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn’t make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn’t have to be translated to a different IP.
This also means I can have multiple hosts on my home network listening on the same ports, because their public IP’s are different.
Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.
To give you an idea, IPv4 came out in 1980 and it wasn’t until May of 1994 that the first RFC on NAT was published.
IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don’t recall, it’s a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.
The thing is, it’s come full circle and IPv6 now is the same as IPv4 used to be and you can access a “local” IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it’s called a Global Unicast Address, but it’s been a minute, so don’t quote me on that)
I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.
Further, it’s not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.
I think this is a bit too strong. The bit about NAT that people associate with improved security is that it acts as a stateful firewall. This basically means that it allows outbound connections not inbound connections.
A preventing inbound connections does provide a meaningful reduction in attack surface. No longer is every vulnerability scan on the internet going to probe your machine and it is going to be much harder for a remote attacker to get access.
However there are two main flaws:
Stateful firewalls are not perfect filters of incoming connections.
Local devices still have full access to your device.
A NAT will restrict connections from the internet, but won’t stop attacks from your local network. As your network grows, it might be a good idea to isolate shitty IOT devices (firmware is often full of holes), home internet and sensitive devices like cameras.
There are also issues like NAT hole punching and guessed port attacks that can get through NAT. This typically isn’t a major problem because actually getting a connection will be very difficult but if your NIC or kernel has a bug it may be possible to trigger it with a packet or two.
You don’t know what your ISP-provided router does exactly. It may let some traffic through from the outside. It may get an over-the-air firmware update or config change at any time from your ISP. It definitely has well-known, unfixed vulnerabilities.
Also, if you rely on NAT, you have to have 100% trust in all devices that are inside your network.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
deleted by creator
NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.
The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.
Take for example this scenario:
You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.
Another scenario:
You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.
Take for example malware has been known to spread via Minecraft.
Great explanation! I didn’t know anything, now I know something. 🙏
IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?
Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.
Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.
As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.
I’d imagine that’s true for most people at home.
The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There’s still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn’t make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn’t have to be translated to a different IP.
This also means I can have multiple hosts on my home network listening on the same ports, because their public IP’s are different.
EDIT: Quoting @Kid_Thunder@kbin.social from elsewhere in the thread because they summed it up beautifully:
NAT is not security.
NAT is a stop-gap measure because there aren’t enough IPv4 addresses that exist in the world. NAT was created so multiple Local Area Networks all over the world could use the same IP numbers and not end up with IP conflicts.
Way way way back in the early days of the internet, there were no LAN IP and WAN IPs You had your Wide Area Network (Internet) IP and that was it. Prior to NAT all devices were directly accessible via their WAN IP on the whole ass internet.
To give you an idea, IPv4 came out in 1980 and it wasn’t until May of 1994 that the first RFC on NAT was published.
IPv6 is a full replacement for IPv4 that has not been fully adopted despite being around for 20 years or so. It has something like 16 undicillion (I don’t recall, it’s a fucking massive number) existing IP numbers, so it could take a few generations for it to run out of address space.
The thing is, it’s come full circle and IPv6 now is the same as IPv4 used to be and you can access a “local” IP directly from the wider internet and Network Address Translation is not needed in the routing setup at all. (I believe it’s called a Global Unicast Address, but it’s been a minute, so don’t quote me on that)
I reiterate NAT was never meant as a real security measure as it is simply Security Through Obscurity at best.
Further, it’s not even that obscure, NAT is often misconfigured meaning internal IPs and ports leak to the wider internet regularly.
Obligatory South Park Ski Instructor:
https://en.wikipedia.org/wiki/Network_address_translation
https://en.wikipedia.org/wiki/Internet_Protocol_version_4
https://en.wikipedia.org/wiki/Internet_Protocol_version_4#Address_space_exhaustion
https://en.wikipedia.org/wiki/IPv6_address
https://en.wikipedia.org/wiki/IPv6_address#Unicast_addresses
I think this is a bit too strong. The bit about NAT that people associate with improved security is that it acts as a stateful firewall. This basically means that it allows outbound connections not inbound connections.
A preventing inbound connections does provide a meaningful reduction in attack surface. No longer is every vulnerability scan on the internet going to probe your machine and it is going to be much harder for a remote attacker to get access.
However there are two main flaws:
Security from what? Get a threat model.
A NAT will restrict connections from the internet, but won’t stop attacks from your local network. As your network grows, it might be a good idea to isolate shitty IOT devices (firmware is often full of holes), home internet and sensitive devices like cameras.
There are also issues like NAT hole punching and guessed port attacks that can get through NAT. This typically isn’t a major problem because actually getting a connection will be very difficult but if your NIC or kernel has a bug it may be possible to trigger it with a packet or two.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
4 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.
[Thread #546 for this sub, first seen 26th Feb 2024, 16:15] [FAQ] [Full list] [Contact] [Source code]
You don’t know what your ISP-provided router does exactly. It may let some traffic through from the outside. It may get an over-the-air firmware update or config change at any time from your ISP. It definitely has well-known, unfixed vulnerabilities.
Also, if you rely on NAT, you have to have 100% trust in all devices that are inside your network.