[ffsm8]

People honestly thought for a while that devices behind a NAT were secured unless ports were specifically routed to them, hence the term "nat hole punching" was coined.

You're probably right that it makes less sense from today's perspective

[tjoff]

Doesn't make sense. NAT hole punching requires you to execute on the target inside the NAT.

If you are able to do that whatever security you got from NAT has been breached even before NAT hole punching enters the conversation.

NAT will block unsolicited incoming connections, that is a great boon for security but obviously not a silver bullet for all network related security issues nor outgoing connections. That has never been a trope.

[ffsm8]

> Doesn't make sense. NAT hole punching requires you to execute on the target inside the NAT.

Why doesn't it make sense to you? From my perspective the idea was that the NAT protects your devices - and your device is now punching a hole into this protection, making it vulnerable to the world wide web

This circumventing doesn't have to be done by a malicious actor, it just comes at the added risk of becoming "targetable" from the Internet

[tjoff]

Because it is the same thing as opening an outgoing connection but with more steps. The only thing it allows is to connect to someone else that is also behind NAT.

It has no bearing on security.

[ffsm8]

By this logic, a firewall has no bearing on security either. It just drops packets / makes devices unadressable unless a route has been allowed/ a port has been opened

[tjoff]

What, no?

Please explain why the ability to establish an outgoing connection through NAT, when you already have a sidechannel, is a security issue?

[ffsm8]

What is so hard to understand here?

If a NAT made a device unreachable from the Internet, it'd be more secure then a device that's reachable.

You could theoretically leave management ports unsecured etc, because there is no danger - they can't be reached after all.

It just turned out that techniques such as NAT hole punching were developed, which made this rationale invalid. Because your devices could still become reachable.

Yes, this specific technique requires a an active part on both ends, but this active part can be something completely innocent, such as an activeX applet in Internet explorer 6.

Or a Freeware they installed, and now opens up the whole network, not just the device is installed on.

This is all from the very beginnings of the Internet, things weren't as explored back then, and that's why NATs were considered a security feature back then.

Modern malware is obviously much more advanced so we intuitively know why it was never really providing any safety. Hackers were mostly doing things for bragging rights, cryptolockers weren't a thing, the current default malware setup of having command hosts that compromised hosts check for new commands to execute weren't even thought of. In these times, NAT looked like a security feature, because it kinda looks like it.