Networking noob here. I want to prevent all incoming requests except through a specific port, and that traffic is forwarded to a specific device on the network. NAT seems to do that just fine, it’s almost like a kind of firewall by itself. What kind of threats are there that requires more than just NAT for security?
NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.
The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.
Take for example this scenario:
You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.
Another scenario:
You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.
Take for example malware has been known to spread via Minecraft.
Great explanation! I didn’t know anything, now I know something. 🙏
IPv6 usually have unique IP addresses (non-local) for every device in the network. does that mean it will malicious actors can target a device specifically inside a network?
The global IPv6 address is usually not directly reachable from the internet for incoming traffic. There’s still the router with a firewall which blocks all incoming connections, so having an IP for each device doesn’t make a difference for security.
With IPv6 ports still have to be forwarded on consumer routers by default, the main difference is that it doesn’t have to be translated to a different IP.
This also means I can have multiple hosts on my home network listening on the same ports, because their public IP’s are different.
Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.
Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.
As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.
I’d imagine that’s true for most people at home.
I haven’t setup an IPv6 network yet, but it’d have to physically traverse the packet through your router to reach the connected device still. I imagine a router would still be able to use it’s firewall to drop the packet before it gets sent to the endpoint device.