[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] V6 question
On Sat, 2011-02-05 at 15:51 -0500, Ron Frazier wrote:
> Hi, Michael Warfield,
> Just so you know, my message that you are replying to was a reply to
> Michael Trausch. Not that it matters. Anybody can reply to any
> message. I just didn't know if you thought I was referring to you.
> I'll look in more detail at your post later.
Actually I did think you were referring to me. It's even more confusing
that Michael T and are arguing the same points and are on the same page
with this. He and I agree.
> On 02/05/2011 03:34 PM, Michael H. Warfield wrote:
> > On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote:
> >> Michael,
> >> I'm not trying to be divisive, or offensive, but I don't think you are
> >> stating this case correctly. You posted a very long reply to one of my
> >> other messages, and discussed this in depth. I hope to digest that
> >> later. However, every consumer NAT router I'm aware of has a function
> >> completely separate from NAT, which would be in effect with or without
> >> NAT, and that is the firewall function of the device. That is primarily
> >> what provides security. And it most certainly does provide security
> >> which is meaningful. You're acting like putting a NAT router at the
> >> boundary of your home internet connection has no security value, or at
> >> least that's what it sounds like.
> > No security value over that of a simple router with a stateful packet
> > filtering firewall, i.e. netfilter / iptables. Give me one example of
> > some security feature that NAT gives you that iptables does not.
> > Consumer grade NAT devices have a state engine at their core that drives
> > the NAT mapping tables. Not all NAT's have this. Most (maybe all) that
> > you will ever encounter will, I agree. But the fact remains that a
> > stateful firewall provides the same protection as the NAT box and is far
> > simpler. I can quote more than one enterprise level NAT device which
> > provides no security. So NAT in and of itself doesn't provide the
> > security. It's provided by the statefulness of the mapping table and
> > that, in turn, is acting exactly like a stateful firewall.
> > One example. That's all I ask. One example of a security feature which
> > NAT provides which is not present in any decent stateful firewall.
> >> In fact, it's one of the most
> >> critical things a consumer can do. Security expert Steve Gibson
> >> recommends using a router exactly for this reason.
> > If he wrote "router" then he meant something else more general or he's
> > using incorrect terminology, which wouldn't be the first time for SG, in
> > fact that's a frequent occurrence with him. Some of us in the security
> > business consider ole SG to be a bit of a hack (in the publishing media
> > sense of the word) at times.
> > NAT != router
> > router != NAT
> > A NAT device is not exactly a router. It could be considered to be a
> > special case, particular category of router but the term "router" is
> > much more general. I know they label these things as "cable routers"
> > and such but they are NAT devices. OTOH, a router is another good
> > example where things can get confusing. Many many routers, real
> > routers, include packet filters and often stateful packet filters. So a
> > firewall can act as a router and a router can act as a firewall and your
> > IPv6 router would most certainly include an IPv6 stateful packet filter
> > (since most of them are based on Linux anyways). A router, a real
> > router, does not necessarily do NAT. That's a separate feature from
> > routing. So what SG wrote could be construed to be 100% correct and yet
> > NOT mean you must have a NAT device. Only a router (implicitly with a
> > firewall).
> >> This alone, will
> >> prevent many attacks on older or unpatched systems which would otherwise
> >> contract a virus immediately on connection to the net.
> > Which is also exactly what you get with a firewall or a router
> > containing a firewall.
> >> I know this
> >> because I've actually experienced it when connecting a new computer to
> >> the net years ago and it did immediately get a virus, never having
> >> visited a web site. Now that I know more, I would NEVER connect a PC
> >> directly to the internet, unless I know it's patched first and has a
> >> solid software firewall running. The consumer doesn't care whether it's
> >> NAT or Firewall that's protecting him, he just knows there are security
> >> features in the device.
> > What then aggravates me, as an internationally recognized and respected
> > security professional, is that telling people it's the NAT that provides
> > security is incorrect and perpetuates this myth that IPv6 could be less
> > secure because it does not have NAT. This is FALSE! This is horribly
> > FALSE! You got security from the NAT device because your NAT devices
> > behaves like a firewall (and not all do). You have to have a router for
> > IPv6 anyways and those routers contain firewalls. You're just as
> > secure.
> >> I KNOW the router is providing this protection
> >> because I can do a port scan (such as Shields Up) against my public IP
> >> and every port is STEALTH, meaning totally unresponsive to unsolicited
> >> traffic. Even my Linux software firewall running with Firestarter
> >> doesn't do that, it only closes the ports. I'm pretty sure that
> >> stealthing all the ports to the outside world would totally prevent the
> >> instant virus event that I described, because that attack succeeded by
> >> getting to an open port on the PC and crashing something. Assuming the
> >> router is working correctly, there is no way any attacker can penetrate
> >> into my network unless he / she's piggy backing on top of a connection
> >> I've already started. Hopefully, even that would be hard. The firewall
> >> completely blocks all the hostile background radiation. Of course, If I
> >> click on a malicious link or visit a malicious website, knowingly or
> >> unknowingly, and invite the virus in through the firewall, that's a
> >> different matter.
> >> Also, you said NAT does not provide any security. That's a very strong
> >> statement. While it is not a security system, per se, you said in your
> >> other long post that NAT prevents you from connecting to family members'
> >> computers to do maintenance.
> > Ok... That was probably Michael T there. I didn't post that. But we
> > come right back to it again. You get the same thing from a firewall.
> > And it you want to open up a connection from your network to their
> > network, you can do it without these NAT bypass headstands that don't
> > work for more than one address behind the NATs.
> >> Well, that means it's also helping prevent
> >> hackers from connecting as well.
> > Firewall.
> >> So, it's providing SOME security, even
> >> if minimal.
> > Firewall. The NAT is not. It's the firewalling behavior of the NAT
> > device. It's the device, it's not the NAT.
> >> The combination of the firewall function of the router and
> >> the NAT function of the router go a long way toward preventing
> >> unsolicited malicious traffic from entering a home network.
> > No, only the firewall feature (which includes the state engine of the
> > NAT whether some people want to call it or consider it to be a firewall
> > or not).
> >> I believe
> >> it is inappropriate to advise people in such a way that they might be
> >> inclined to place PC's in direct contact with the Internet. In fact, I
> >> think we should say, to the general consumer, Windows, Mac, or Linux,
> >> that you should NEVER connect your PC directly to the internet,
> > Did I say that? Really? Where have I said that? I've been preaching
> > firewall over and over again. The v6 routers have firewalls. You have
> > to have one if you are going to have a v6 network.
> >> to the
> >> cable or DSL modem, unless they know what they are doing AND have a
> >> properly set up software firewall on the PC AND the PC is properly
> >> patched. The only way they will get the advantage of this security
> >> protection is to connect the WAN port of a router type device with
> >> firewall functionality to the cable or DSL modem and to connect the PC
> >> to the SWITCH port or wifi of the router. Finally, until we all have
> >> IPv6, NAT is mandatory for any consumer who wants to attach more than
> >> one computer or internet device at home, and that would include most of us.
> > No. NAT is NOT mandatory. A firewall is. NAT will perform that
> > function as a firewall but it's not the only thing that can provide that
> > function. You don't need NAT. You need a Firewall with or without NAT.
> > Pure "NAT" is neither necessary nor sufficient. Consumer grade
> > commodity NAT DEVICES provide the functionality of NAT, router, and
> > firewall all on one box. You don't need the NAT. You get the same
> > security from the router and firewall (or firewall alone if you use it
> > in-line).
> >> Sincerely,
> >> Ron
> >> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
> >>> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
> >>>> It also keeps the outside world from connecting to the inside (behind
> >>>> firewall) world, What functions that way in your above scenerio,
> >>>> firewall
> >>>> rules ?
> >>> Everyone gather round. Say it with me:
> >>> NAT is not a security mechanism.
> >>> Seriously. I mean it.
> >>> Let me repeat that: NAT is not a security mechanism.
> >>> It was intended to enable privately addressed networks to have limited
> >>> communication with hosts on the Internet. It has the side effect of
> >>> using tables to figure out how to rewrite packets, but this does not
> >>> provide any security. It does not.
> >>> One more time: NAT IS NOT A SECURITY MECHANISM.
> >>> Or to put it another way: NAT is as effective at providing security for
> >>> your network as groping at airports is for providing security there.
> >>> It's all a show; it's faux security that makes people feel better but
> >>> does not serve any real purpose.
> >>> I've gone on about NAT recently in other threads here. You can find
> >>> those, or you can read the post I wrote in my blog about NAT if you
> >>> want:
> >>> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
> >>> --- Mike
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110205/eef4a1f8/attachment.bin