NAT and security?

I’m currently reading Core Security Patterns, a voluminous tome on J2EE security. Lots of good stuff brought together in one great book.

But half way into the book, I came across this Best Practice reccomendation (Chapter 9, page 618, Best Practices and Pitfalls - Application)

Disallow Direct Access: Make sure that the application resides on a server accessed via reverse-proxy or Network Address Translation (NAT)-based IP addresses. Then rewrite the URLs of web applications. This protects the application from direct access from unsolicited users.

Ouch! This is 2006, and NAT’s still being recommended for security? Please don’t get me wrong, I have nothing against NAT - there are times when we just can’t do without it. But, NAT does not increase an application’s security. It never did.

NAT translates the internal IP address to a publicly routable one. It only changes the IP address (and the TCP header in the case of the related Port Address Translation) and forwards the packet to the server. The threats your application is worried about, they slip right through NAT. Your adversaries have the same level of access with or without NAT.

Is this security through obscurity? I doubt it. For an attacker doesn’t even care whether you use NAT. As far as he’s concerned your application resides on that public address.

If you know of an attack that’s thwarted by plain NAT, we’d love to hear more about it.

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.