NAT itself doesn't provide any protection at all. You can set up NAT in dozens of different configurations (1:1 NAT comes to mind), but in the way consumer routers generally set up NAT, I can see why you'd say that (despite there being standard ways to forward ports without any user intervention such as uPnP). There's nothing "secure" about NAT.
Not having client devices accessable via unique IPs is a great security feature. Certainly an unintended side effect but NAT is what is dropping unwelcomed incoming traffic on consumer devices.
You mean a firewall? NAT doesn’t have to drop any packets. It can translate unknown flows into broadcast packets, forward them to a set ip (dmz), or drop them. NAT is not a firewall, even if some configurations make it kinda sorta, if you squint, look like one.
I don't think that works. A router should decrement the TTL of the frame, and thus showing that there is a router between the host device. The linux default is 64 and windows is 128 IIRC, so you can easily deduce the OS just from looking at the TTL. This can tell you whether an ipv4 device is directly connected. From there, you just need to look at IP ID in the packet and figure out which ones are increasing independently to determine individual devices behind the NAT.
Every ISP I know has their routers set to block incoming traffic by default. With most consumer router SIP ALG being defeated easily (NAT slipstreaming attacks etc) I'd argue that NAT is actually worse for security than just a simple firewall.
1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.
In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.
It's not even technically correct; it's just wrong.
NAT doesn't make any choices on where a packet gets delivered. For packets that aren't part of an existing steam, NAT will simply not edit the packet. Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
> For packets that aren't part of an existing steam, NAT will simply not edit the packet.
A 1:1 NAT should generally just swap IP for IP and not know about streams or ports at all.
> Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
I would call that a routing rules error, even in the absence of a firewall.
