NAT does not significantly increase security, the firewall on the device that is performing the NAT does. I think these concepts are often conflated and NAT gets the credit for the firewall's work. If there is no pair in the NAT table, then yes traffic will not be forwarded. Traffic will not be forwarded if a sanely configured border device is performing SPI with internal public addresses, so the point is moot. Unfortunately, direct attacks are not the vector for most attackers when considering a private scenario anyway; nor would it be even if the vast majority of users had "public" IPs. Private users going to the bad guys through the web is far too awesome.
I am pretty sure NAT was intended to be a stopgap measure while a better solution (IPv6) underwent the engineering effort. It just has had a side effect of prolonging adoption and complicating network administration unnecessarily since it was pretty effective.
Slashdot Mirror
NAT does not significantly increase security, the firewall on the device that is performing the NAT does. I think these concepts are often conflated and NAT gets the credit for the firewall's work. If there is no pair in the NAT table, then yes traffic will not be forwarded. Traffic will not be forwarded if a sanely configured border device is performing SPI with internal public addresses, so the point is moot. Unfortunately, direct attacks are not the vector for most attackers when considering a private scenario anyway; nor would it be even if the vast majority of users had "public" IPs. Private users going to the bad guys through the web is far too awesome. I am pretty sure NAT was intended to be a stopgap measure while a better solution (IPv6) underwent the engineering effort. It just has had a side effect of prolonging adoption and complicating network administration unnecessarily since it was pretty effective.