[ale] V6 question

Ron Frazier atllinuxenthinfo at c3energy.com
Sat Feb 5 14:23:45 EST 2011


Michael,

I'm not trying to be divisive, or offensive, but I don't think you are 
stating this case correctly.  You posted a very long reply to one of my 
other messages, and discussed this in depth.  I hope to digest that 
later.  However, every consumer NAT router I'm aware of has a function 
completely separate from NAT, which would be in effect with or without 
NAT, and that is the firewall function of the device.  That is primarily 
what provides security.  And it most certainly does provide security 
which is meaningful.  You're acting like putting a NAT router at the 
boundary of your home internet connection has no security value, or at 
least that's what it sounds like.  In fact, it's one of the most 
critical things a consumer can do.  Security expert Steve Gibson 
recommends using a router exactly for this reason.  This alone, will 
prevent many attacks on older or unpatched systems which would otherwise 
contract a virus immediately on connection to the net.  I know this 
because I've actually experienced it when connecting a new computer to 
the net years ago and it did immediately get a virus, never having 
visited a web site.  Now that I know more, I would NEVER connect a PC 
directly to the internet, unless I know it's patched first and has a 
solid software firewall running.  The consumer doesn't care whether it's 
NAT or Firewall that's protecting him, he just knows there are security 
features in the device.  I KNOW the router is providing this protection 
because I can do a port scan (such as Shields Up) against my public IP 
and every port is STEALTH, meaning totally unresponsive to unsolicited 
traffic.  Even my Linux software firewall running with Firestarter 
doesn't do that, it only closes the ports.  I'm pretty sure that 
stealthing all the ports to the outside world would totally prevent the 
instant virus event that I described, because that attack succeeded by 
getting to an open port on the PC and crashing something.  Assuming the 
router is working correctly, there is no way any attacker can penetrate 
into my network unless he / she's piggy backing on top of a connection 
I've already started.  Hopefully, even that would be hard.  The firewall 
completely blocks all the hostile background radiation.  Of course, If I 
click on a malicious link or visit a malicious website, knowingly or 
unknowingly, and invite the virus in through the firewall, that's a 
different matter.

Also, you said NAT does not provide any security.  That's a very strong 
statement.  While it is not a security system, per se, you said in your 
other long post that NAT prevents you from connecting to family members' 
computers to do maintenance.  Well, that means it's also helping prevent 
hackers from connecting as well.  So, it's providing SOME security, even 
if minimal.  The combination of the firewall function of the router and 
the NAT function of the router go a long way toward preventing 
unsolicited malicious traffic from entering a home network.  I believe 
it is inappropriate to advise people in such a way that they might be 
inclined to place PC's in direct contact with the Internet.  In fact, I 
think we should say, to the general consumer, Windows, Mac, or Linux, 
that you should NEVER connect your PC directly to the internet, to the 
cable or DSL modem, unless they know what they are doing AND have a 
properly set up software firewall on the PC AND the PC is properly 
patched.  The only way they will get the advantage of this security 
protection is to connect the WAN port of a router type device with 
firewall functionality to the cable or DSL modem and to connect the PC 
to the SWITCH port or wifi of the router.  Finally, until we all have 
IPv6, NAT is mandatory for any consumer who wants to attach more than 
one computer or internet device at home, and that would include most of us.

Sincerely,

Ron


On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
>    
>> It also keeps the outside world from connecting to the inside (behind
>> firewall) world, What functions that way in your above scenerio,
>> firewall
>> rules ?
>>      
> Everyone gather round.  Say it with me:
>
>                       NAT is not a security mechanism.
>
> Seriously.  I mean it.
>
>           Let me repeat that: NAT is not a security mechanism.
>
> It was intended to enable privately addressed networks to have limited
> communication with hosts on the Internet.  It has the side effect of
> using tables to figure out how to rewrite packets, but this does not
> provide any security.  It does not.
>
>             One more time: NAT IS NOT A SECURITY MECHANISM.
>
> Or to put it another way:  NAT is as effective at providing security for
> your network as groping at airports is for providing security there.
> It's all a show; it's faux security that makes people feel better but
> does not serve any real purpose.
>
> I've gone on about NAT recently in other threads here.  You can find
> those, or you can read the post I wrote in my blog about NAT if you
> want:
>
> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
>
> 	--- Mike
>    
>

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list