[ale] V6 question

Michael H. Warfield mhw at WittsEnd.com
Sat Feb 5 15:34:22 EST 2011


On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote: 
> Michael,
> 
> I'm not trying to be divisive, or offensive, but I don't think you are 
> stating this case correctly.  You posted a very long reply to one of my 
> other messages, and discussed this in depth.  I hope to digest that 
> later.  However, every consumer NAT router I'm aware of has a function 
> completely separate from NAT, which would be in effect with or without 
> NAT, and that is the firewall function of the device.  That is primarily 
> what provides security.  And it most certainly does provide security 
> which is meaningful.  You're acting like putting a NAT router at the 
> boundary of your home internet connection has no security value, or at 
> least that's what it sounds like.

No security value over that of a simple router with a stateful packet
filtering firewall, i.e. netfilter / iptables.  Give me one example of
some security feature that NAT gives you that iptables does not.
Consumer grade NAT devices have a state engine at their core that drives
the NAT mapping tables.  Not all NAT's have this.  Most (maybe all) that
you will ever encounter will, I agree.  But the fact remains that a
stateful firewall provides the same protection as the NAT box and is far
simpler.  I can quote more than one enterprise level NAT device which
provides no security.  So NAT in and of itself doesn't provide the
security.  It's provided by the statefulness of the mapping table and
that, in turn, is acting exactly like a stateful firewall.

One example.  That's all I ask.  One example of a security feature which
NAT provides which is not present in any decent stateful firewall.

> In fact, it's one of the most 
> critical things a consumer can do.  Security expert Steve Gibson 
> recommends using a router exactly for this reason.

If he wrote "router" then he meant something else more general or he's
using incorrect terminology, which wouldn't be the first time for SG, in
fact that's a frequent occurrence with him.  Some of us in the security
business consider ole SG to be a bit of a hack (in the publishing media
sense of the word) at times.

NAT != router
router != NAT

A NAT device is not exactly a router.  It could be considered to be a
special case, particular category of router but the term "router" is
much more general.  I know they label these things as "cable routers"
and such but they are NAT devices.  OTOH, a router is another good
example where things can get confusing.  Many many routers, real
routers, include packet filters and often stateful packet filters.  So a
firewall can act as a router and a router can act as a firewall and your
IPv6 router would most certainly include an IPv6 stateful packet filter
(since most of them are based on Linux anyways).  A router, a real
router, does not necessarily do NAT.  That's a separate feature from
routing.  So what SG wrote could be construed to be 100% correct and yet
NOT mean you must have a NAT device.  Only a router (implicitly with a
firewall).

> This alone, will 
> prevent many attacks on older or unpatched systems which would otherwise 
> contract a virus immediately on connection to the net.

Which is also exactly what you get with a firewall or a router
containing a firewall.

> I know this 
> because I've actually experienced it when connecting a new computer to 
> the net years ago and it did immediately get a virus, never having 
> visited a web site.  Now that I know more, I would NEVER connect a PC 
> directly to the internet, unless I know it's patched first and has a 
> solid software firewall running.  The consumer doesn't care whether it's 
> NAT or Firewall that's protecting him, he just knows there are security 
> features in the device.

What then aggravates me, as an internationally recognized and respected
security professional, is that telling people it's the NAT that provides
security is incorrect and perpetuates this myth that IPv6 could be less
secure because it does not have NAT.  This is FALSE!  This is horribly
FALSE!  You got security from the NAT device because your NAT devices
behaves like a firewall (and not all do).  You have to have a router for
IPv6 anyways and those routers contain firewalls.  You're just as
secure.

> I KNOW the router is providing this protection 
> because I can do a port scan (such as Shields Up) against my public IP 
> and every port is STEALTH, meaning totally unresponsive to unsolicited 
> traffic.  Even my Linux software firewall running with Firestarter 
> doesn't do that, it only closes the ports.  I'm pretty sure that 
> stealthing all the ports to the outside world would totally prevent the 
> instant virus event that I described, because that attack succeeded by 
> getting to an open port on the PC and crashing something.  Assuming the 
> router is working correctly, there is no way any attacker can penetrate 
> into my network unless he / she's piggy backing on top of a connection 
> I've already started.  Hopefully, even that would be hard.  The firewall 
> completely blocks all the hostile background radiation.  Of course, If I 
> click on a malicious link or visit a malicious website, knowingly or 
> unknowingly, and invite the virus in through the firewall, that's a 
> different matter.

> Also, you said NAT does not provide any security.  That's a very strong 
> statement.  While it is not a security system, per se, you said in your 
> other long post that NAT prevents you from connecting to family members' 
> computers to do maintenance.

Ok...  That was probably Michael T there.  I didn't post that.  But we
come right back to it again.  You get the same thing from a firewall.
And it you want to open up a connection from your network to their
network, you can do it without these NAT bypass headstands that don't
work for more than one address behind the NATs.

> Well, that means it's also helping prevent 
> hackers from connecting as well.

Firewall.

> So, it's providing SOME security, even 
> if minimal.

Firewall.  The NAT is not.  It's the firewalling behavior of the NAT
device.  It's the device, it's not the NAT.

> The combination of the firewall function of the router and 
> the NAT function of the router go a long way toward preventing 
> unsolicited malicious traffic from entering a home network.

No, only the firewall feature (which includes the state engine of the
NAT whether some people want to call it or consider it to be a firewall
or not).

> I believe 
> it is inappropriate to advise people in such a way that they might be 
> inclined to place PC's in direct contact with the Internet.  In fact, I 
> think we should say, to the general consumer, Windows, Mac, or Linux, 
> that you should NEVER connect your PC directly to the internet,

Did I say that?  Really?  Where have I said that?  I've been preaching
firewall over and over again.  The v6 routers have firewalls.  You have
to have one if you are going to have a v6 network.

> to the 
> cable or DSL modem, unless they know what they are doing AND have a 
> properly set up software firewall on the PC AND the PC is properly 
> patched.  The only way they will get the advantage of this security 
> protection is to connect the WAN port of a router type device with 
> firewall functionality to the cable or DSL modem and to connect the PC 
> to the SWITCH port or wifi of the router.  Finally, until we all have 
> IPv6, NAT is mandatory for any consumer who wants to attach more than 
> one computer or internet device at home, and that would include most of us.

No.  NAT is NOT mandatory.  A firewall is.  NAT will perform that
function as a firewall but it's not the only thing that can provide that
function.  You don't need NAT.  You need a Firewall with or without NAT.
Pure "NAT" is neither necessary nor sufficient.  Consumer grade
commodity NAT DEVICES provide the functionality of NAT, router, and
firewall all on one box.  You don't need the NAT.  You get the same
security from the router and firewall (or firewall alone if you use it
in-line).

> Sincerely,
> 
> Ron
> 
> 
> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
> > On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
> >    
> >> It also keeps the outside world from connecting to the inside (behind
> >> firewall) world, What functions that way in your above scenerio,
> >> firewall
> >> rules ?
> >>      
> > Everyone gather round.  Say it with me:
> >
> >                       NAT is not a security mechanism.
> >
> > Seriously.  I mean it.
> >
> >           Let me repeat that: NAT is not a security mechanism.
> >
> > It was intended to enable privately addressed networks to have limited
> > communication with hosts on the Internet.  It has the side effect of
> > using tables to figure out how to rewrite packets, but this does not
> > provide any security.  It does not.
> >
> >             One more time: NAT IS NOT A SECURITY MECHANISM.
> >
> > Or to put it another way:  NAT is as effective at providing security for
> > your network as groping at airports is for providing security there.
> > It's all a show; it's faux security that makes people feel better but
> > does not serve any real purpose.
> >
> > I've gone on about NAT recently in other threads here.  You can find
> > those, or you can read the post I wrote in my blog about NAT if you
> > want:
> >
> > http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
> >
> > 	--- Mike
> >    
> >
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110205/903d9ac2/attachment.bin 


More information about the Ale mailing list