-5

I don't consider NAT a security measure at all but here is my teachers reasoning of how NAT provides security. My course has been appalling and this reasoning is just laughable to me. This is a £3000 course and this is his explanation.

"If you cannot see or ‘ping’ an internal IP address range, you cannot ‘see’ any devices on the internal network, so cannot gain access to implement any form of malicious intrusion"

If you can't ping the the internal IP this is just stupid - Yes there is DDos attack but this as a explanation, really? I'm in the process of making a formal complaint about the course and this is just one of the things.

Do you regard the tutors statement to be correct? And if not what is wrong with the statement?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Capcom
  • 1
  • 1
  • 1
    I do not understand your question nor your remark toward your teacher's explanation. Could you clarify that? Also, while you may or may not have valid reasons to be disappointed by your course, this is irrelevant here. – Yuriko Sep 08 '22 at 13:42
  • My question is do you think his explanation is right or wrong. I think it's thoroughly wrong but want conformation from this community before writing this part of my complaint. – Capcom Sep 08 '22 at 13:45
  • 2
    Could this question shed some lights for you? [How important is NAT as a security layer?](https://security.stackexchange.com/questions/8772/how-important-is-nat-as-a-security-layer) – Yuriko Sep 08 '22 at 13:46
  • Well yes in that we know it provides no security. But I am in the process of writing a complaint and my teacher thinks that NAT provides security because you can't ping the internal address, surely someone must have some helpful information of why this is wrong on so many ways. – Capcom Sep 08 '22 at 13:50
  • I dont know if its worth a formal complaint, but yah it is in the same realm as "security through obscurity". It does occasionally provide security, but only by accident and should never be relied upon. – CaffeineAddiction Sep 08 '22 at 14:17
  • 3
    *"If you can't ping the the internal IP this is just stupid"* - we have only your interpretation and no context here. But the teacher might use "ping" as a way to tell, that one cannot send packets to an internal system from outside the NAT, except packets related to connections established from inside. Anyway, I don't see any actual question here, this is just complaining -> off-topic. – Steffen Ullrich Sep 08 '22 at 14:20
  • My complaint will be about the course in general this is just one little thing. He wanted me to put something along these lines in my assignment but I would of been embraced to include it. These teachers were not fit to be teaching such a course. What I really want to know is how you would of felt if your lecturer had made a statement like above. – Capcom Sep 08 '22 at 14:20
  • 2
    *" What I really want to know is how you would of felt if your lecturer had made a statement like above."* - please edit your post to show the actual question you have. This particular one is asking for opinions not facts - which is explicitly off-topic here. For opinions and discussions reddit/r/netsec might be more appropriate. – Steffen Ullrich Sep 08 '22 at 14:22
  • 1
    @Capcom As someone who also made a formal complaint about issues like this, I would advise against that approach. Jumping to a formal procedure caused undue animosity and didn't result in the problem being addressed. In hindsight a far better approach would have been to schedule a time to sit down with my tutors and express my concerns with them informally, and try to talk through the problems and confusion. – Polynomial Sep 08 '22 at 16:12
  • 3
    @Capcom From a practical perspective, though, your tutor is absolutely right: NAT is a security control. It may not have been _developed_ as a security control, but it inherently segregates devices on your local network (a generally trusted zone) from devices on the internet (a generally untrusted zone) in a reliable manner. NAT enforces a security boundary, whether it was originally intended to or not. The ping side of the argument sounds like a misinterpretation - the intended meaning seems clear: "if you can't communicate with the target device, you can't attack it". This, too, is correct. – Polynomial Sep 08 '22 at 16:18
  • You never explain why you think NAT does not provide security and assume that we all agree with you. It provides *incidental* security. The linked question explains this: you can correctly configure NAT so that it provides zero security while working properly and as intended. But it ***still can*** provide a measure of security by blocking direct access. And what's wrong with the statement that you can't directly ping the internal network? That's true. And not having that access means that the internal network is protected from many types of attacks. – schroeder Sep 08 '22 at 19:53
  • Security is never all or nothing. Cyber security is never binary. There are layers of measures that help against certain threats. NAT won't protect against all threats, but then again what would? All-in-all, this seems like a rant and an attempt to drum up support for your opinion. I don't think you've properly thought this through. – schroeder Sep 08 '22 at 19:54
  • I know what NAT is etc - if you can't PING lol this is a £3000 course just unbelievable – Capcom Sep 09 '22 at 14:38
  • @Capcom It seems like you're insisting upon picking the least charitable interpretation of what your tutor was saying in order to justify your conclusion that the tutor is wrong, and in turn justify your annoyance at the course as a whole. It's clear to me that your tutor wasn't saying that ping is required to attack things, as you suggest, but rather was simply using "ping" as an example of communicating with the target system from the internet (which NAT inherently prevents). As I noted above, lashing out at them isn't a healthy solution; take a step back, cool off, and just talk with them. – Polynomial Sep 09 '22 at 17:42
  • @Capcom On a more personal note, my guess is that you've already learned some stuff on your own before the course, you're ahead of the group, feel like you need to prove yourself, and keep getting frustrated when people talk in simplified terms and skip over some of the details and edge cases? Take it from someone who has been in that exact situation: it pays to chill out and tone it down a bit. Tutors are teaching everyone in the class, no matter what level, so they'll always simplify things at first to make sure everyone has the opportunity to learn. Constantly challenging them is unhelpful. – Polynomial Sep 09 '22 at 17:57
  • @Capcom If you feel like you're not getting enough out of the course, the best thing to do is _talk with the tutors_. Not complain about them. I guarantee that they want to help everyone in that class, including you, learn as much as they can in the time they're there. They can't always do as much as they'd like (it's a job, after all, and they only have so much time) but they'll be happy to discuss relevant topics and give suggestions for additional self-driven learning if you come to them in good faith. Don't throw away that opportunity by turning it into an adversarial relationship. – Polynomial Sep 09 '22 at 18:04
  • Thank you for your replies - I think what I'm failing to express is that this is not a level 1 course etc this course was full of problems and this was just one thing. NAT obviously shouldn't be hard to understand at this level etc But come on adds security because you can't PING. The tutor taught it so badly that one student decided he would no longer use a VPN because he was using NAT. Now can you understand this is bellow even high school level and being charged £3000. – Capcom Sep 12 '22 at 23:02

1 Answers1

7

The explanation of your tutor is somewhat correct, but as with anything in life, the truth runs a lot deeper.

What is true

In a very simple NAT setup, in which the router receives one external IP address, and all devices in the internal network are NAT'ed through that IP address, it is indeed true that external devices cannot simply communicate with any internal device.

Consider the following network graph:

┌───────────┐                      ┌────────┐
│           │        233.252.17.56 │        │
│ Internet  │◄────────────────────►│ Router │
│           │                      │        │
└───────────┘                      └────────┘
                                        ▲ 10.0.0.1
                                        │
                                        │
                                        │
                      ┌─────────────────┼───────────────────┐
                      │                 │                   │
                      │                 │                   │
                      │                 │                   │
                      ▼ 10.0.0.4        ▼ 10.0.0.100        ▼ 10.0.0.2
                    ┌────┐         ┌────────┐            ┌─────┐
                    │    │         │        │            │     │
                    │ PC │         │ Laptop │            │ NAS │
                    │    │         │        │            │     │
                    └────┘         └────────┘            └─────┘

An attacker would have no way to directly communicate with the PC at 10.0.0.4, as no port on the router's NAT table would route the packet to the PC.

So in this case, it would indeed improve security, even if any such improvement was merely by coincidence.

What is false

The explanation of "If you can't ping, you can't attack" is just completely wrong. A good example would be nmap's -Pn flag, which ignores any attempts at pinging a host and simply attempts to enumerate open ports. If any such ports are found, an attacker can communicate with the server behind that port, which means it can also be attacked.

Nowadays, DNAT (destination NAT, also called port forwarding) is often used to expose services within a NAT'ed network to the internet. For example, the PC in our previous scenario may host an Unreal Tournament 2004 server on port 7777. This would mean that communicating with 233.252.17.56:7777 would be forwarded by the router to 10.0.0.4:7777. This in turn would allow an attacker to communicate with this service and therefore attack it.

In short

NAT is not a security measure per sé. But it does limit the exposure of devices from an internal network to the outside, which makes exploitation more difficult.

Horvath Zeldjinovic
  • 314
  • 4