[ale] V6 question
Ron Frazier
atllinuxenthinfo at c3energy.com
Sat Feb 5 15:51:00 EST 2011
Hi, Michael Warfield,
Just so you know, my message that you are replying to was a reply to
Michael Trausch. Not that it matters. Anybody can reply to any
message. I just didn't know if you thought I was referring to you.
I'll look in more detail at your post later.
Sincerely,
Ron
On 02/05/2011 03:34 PM, Michael H. Warfield wrote:
> On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote:
>
>> Michael,
>>
>> I'm not trying to be divisive, or offensive, but I don't think you are
>> stating this case correctly. You posted a very long reply to one of my
>> other messages, and discussed this in depth. I hope to digest that
>> later. However, every consumer NAT router I'm aware of has a function
>> completely separate from NAT, which would be in effect with or without
>> NAT, and that is the firewall function of the device. That is primarily
>> what provides security. And it most certainly does provide security
>> which is meaningful. You're acting like putting a NAT router at the
>> boundary of your home internet connection has no security value, or at
>> least that's what it sounds like.
>>
> No security value over that of a simple router with a stateful packet
> filtering firewall, i.e. netfilter / iptables. Give me one example of
> some security feature that NAT gives you that iptables does not.
> Consumer grade NAT devices have a state engine at their core that drives
> the NAT mapping tables. Not all NAT's have this. Most (maybe all) that
> you will ever encounter will, I agree. But the fact remains that a
> stateful firewall provides the same protection as the NAT box and is far
> simpler. I can quote more than one enterprise level NAT device which
> provides no security. So NAT in and of itself doesn't provide the
> security. It's provided by the statefulness of the mapping table and
> that, in turn, is acting exactly like a stateful firewall.
>
> One example. That's all I ask. One example of a security feature which
> NAT provides which is not present in any decent stateful firewall.
>
>
>> In fact, it's one of the most
>> critical things a consumer can do. Security expert Steve Gibson
>> recommends using a router exactly for this reason.
>>
> If he wrote "router" then he meant something else more general or he's
> using incorrect terminology, which wouldn't be the first time for SG, in
> fact that's a frequent occurrence with him. Some of us in the security
> business consider ole SG to be a bit of a hack (in the publishing media
> sense of the word) at times.
>
> NAT != router
> router != NAT
>
> A NAT device is not exactly a router. It could be considered to be a
> special case, particular category of router but the term "router" is
> much more general. I know they label these things as "cable routers"
> and such but they are NAT devices. OTOH, a router is another good
> example where things can get confusing. Many many routers, real
> routers, include packet filters and often stateful packet filters. So a
> firewall can act as a router and a router can act as a firewall and your
> IPv6 router would most certainly include an IPv6 stateful packet filter
> (since most of them are based on Linux anyways). A router, a real
> router, does not necessarily do NAT. That's a separate feature from
> routing. So what SG wrote could be construed to be 100% correct and yet
> NOT mean you must have a NAT device. Only a router (implicitly with a
> firewall).
>
>
>> This alone, will
>> prevent many attacks on older or unpatched systems which would otherwise
>> contract a virus immediately on connection to the net.
>>
> Which is also exactly what you get with a firewall or a router
> containing a firewall.
>
>
>> I know this
>> because I've actually experienced it when connecting a new computer to
>> the net years ago and it did immediately get a virus, never having
>> visited a web site. Now that I know more, I would NEVER connect a PC
>> directly to the internet, unless I know it's patched first and has a
>> solid software firewall running. The consumer doesn't care whether it's
>> NAT or Firewall that's protecting him, he just knows there are security
>> features in the device.
>>
> What then aggravates me, as an internationally recognized and respected
> security professional, is that telling people it's the NAT that provides
> security is incorrect and perpetuates this myth that IPv6 could be less
> secure because it does not have NAT. This is FALSE! This is horribly
> FALSE! You got security from the NAT device because your NAT devices
> behaves like a firewall (and not all do). You have to have a router for
> IPv6 anyways and those routers contain firewalls. You're just as
> secure.
>
>
>> I KNOW the router is providing this protection
>> because I can do a port scan (such as Shields Up) against my public IP
>> and every port is STEALTH, meaning totally unresponsive to unsolicited
>> traffic. Even my Linux software firewall running with Firestarter
>> doesn't do that, it only closes the ports. I'm pretty sure that
>> stealthing all the ports to the outside world would totally prevent the
>> instant virus event that I described, because that attack succeeded by
>> getting to an open port on the PC and crashing something. Assuming the
>> router is working correctly, there is no way any attacker can penetrate
>> into my network unless he / she's piggy backing on top of a connection
>> I've already started. Hopefully, even that would be hard. The firewall
>> completely blocks all the hostile background radiation. Of course, If I
>> click on a malicious link or visit a malicious website, knowingly or
>> unknowingly, and invite the virus in through the firewall, that's a
>> different matter.
>>
>
>> Also, you said NAT does not provide any security. That's a very strong
>> statement. While it is not a security system, per se, you said in your
>> other long post that NAT prevents you from connecting to family members'
>> computers to do maintenance.
>>
> Ok... That was probably Michael T there. I didn't post that. But we
> come right back to it again. You get the same thing from a firewall.
> And it you want to open up a connection from your network to their
> network, you can do it without these NAT bypass headstands that don't
> work for more than one address behind the NATs.
>
>
>> Well, that means it's also helping prevent
>> hackers from connecting as well.
>>
> Firewall.
>
>
>> So, it's providing SOME security, even
>> if minimal.
>>
> Firewall. The NAT is not. It's the firewalling behavior of the NAT
> device. It's the device, it's not the NAT.
>
>
>> The combination of the firewall function of the router and
>> the NAT function of the router go a long way toward preventing
>> unsolicited malicious traffic from entering a home network.
>>
> No, only the firewall feature (which includes the state engine of the
> NAT whether some people want to call it or consider it to be a firewall
> or not).
>
>
>> I believe
>> it is inappropriate to advise people in such a way that they might be
>> inclined to place PC's in direct contact with the Internet. In fact, I
>> think we should say, to the general consumer, Windows, Mac, or Linux,
>> that you should NEVER connect your PC directly to the internet,
>>
> Did I say that? Really? Where have I said that? I've been preaching
> firewall over and over again. The v6 routers have firewalls. You have
> to have one if you are going to have a v6 network.
>
>
>> to the
>> cable or DSL modem, unless they know what they are doing AND have a
>> properly set up software firewall on the PC AND the PC is properly
>> patched. The only way they will get the advantage of this security
>> protection is to connect the WAN port of a router type device with
>> firewall functionality to the cable or DSL modem and to connect the PC
>> to the SWITCH port or wifi of the router. Finally, until we all have
>> IPv6, NAT is mandatory for any consumer who wants to attach more than
>> one computer or internet device at home, and that would include most of us.
>>
> No. NAT is NOT mandatory. A firewall is. NAT will perform that
> function as a firewall but it's not the only thing that can provide that
> function. You don't need NAT. You need a Firewall with or without NAT.
> Pure "NAT" is neither necessary nor sufficient. Consumer grade
> commodity NAT DEVICES provide the functionality of NAT, router, and
> firewall all on one box. You don't need the NAT. You get the same
> security from the router and firewall (or firewall alone if you use it
> in-line).
>
>
>> Sincerely,
>>
>> Ron
>>
>>
>> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
>>
>>> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
>>>
>>>
>>>> It also keeps the outside world from connecting to the inside (behind
>>>> firewall) world, What functions that way in your above scenerio,
>>>> firewall
>>>> rules ?
>>>>
>>>>
>>> Everyone gather round. Say it with me:
>>>
>>> NAT is not a security mechanism.
>>>
>>> Seriously. I mean it.
>>>
>>> Let me repeat that: NAT is not a security mechanism.
>>>
>>> It was intended to enable privately addressed networks to have limited
>>> communication with hosts on the Internet. It has the side effect of
>>> using tables to figure out how to rewrite packets, but this does not
>>> provide any security. It does not.
>>>
>>> One more time: NAT IS NOT A SECURITY MECHANISM.
>>>
>>> Or to put it another way: NAT is as effective at providing security for
>>> your network as groping at airports is for providing security there.
>>> It's all a show; it's faux security that makes people feel better but
>>> does not serve any real purpose.
>>>
>>> I've gone on about NAT recently in other threads here. You can find
>>> those, or you can read the post I wrote in my blog about NAT if you
>>> want:
>>>
>>> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
>>>
>>> --- Mike
>>>
>>>
>>>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list