I've often seen criticism that "NAT is not a security boundary" etc., but never ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tgsovlerkhgsel on Jan 21, 2018 | parent | context | favorite | on: NAT66: The good, the bad, the ugly

I've often seen criticism that "NAT is not a security boundary" etc., but never seen them explained.

How is putting your network behind a NAT different from a stateful firewall set to deny inbound connections (and allow outbound and related ones)?

maccam94 on Jan 21, 2018 [–]

It's different because not only does it deny inbound connections, it breaks the end-to-end principle[1] of the internet. You can have the security boundary without NAT by using a firewall, so if that's all you want, don't use NAT.

1: https://en.wikipedia.org/wiki/End-to-end_principle

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact