[ale] V6 question

Ron Frazier atllinuxenthinfo at c3energy.com
Sat Feb 5 15:51:00 EST 2011


Hi, Michael Warfield,

Just so you know, my message that you are replying to was a reply to 
Michael Trausch.  Not that it matters.  Anybody can reply to any 
message.  I just didn't know if you thought I was referring to you.  
I'll look in more detail at your post later.

Sincerely,

Ron


On 02/05/2011 03:34 PM, Michael H. Warfield wrote:
> On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote:
>    
>> Michael,
>>
>> I'm not trying to be divisive, or offensive, but I don't think you are
>> stating this case correctly.  You posted a very long reply to one of my
>> other messages, and discussed this in depth.  I hope to digest that
>> later.  However, every consumer NAT router I'm aware of has a function
>> completely separate from NAT, which would be in effect with or without
>> NAT, and that is the firewall function of the device.  That is primarily
>> what provides security.  And it most certainly does provide security
>> which is meaningful.  You're acting like putting a NAT router at the
>> boundary of your home internet connection has no security value, or at
>> least that's what it sounds like.
>>      
> No security value over that of a simple router with a stateful packet
> filtering firewall, i.e. netfilter / iptables.  Give me one example of
> some security feature that NAT gives you that iptables does not.
> Consumer grade NAT devices have a state engine at their core that drives
> the NAT mapping tables.  Not all NAT's have this.  Most (maybe all) that
> you will ever encounter will, I agree.  But the fact remains that a
> stateful firewall provides the same protection as the NAT box and is far
> simpler.  I can quote more than one enterprise level NAT device which
> provides no security.  So NAT in and of itself doesn't provide the
> security.  It's provided by the statefulness of the mapping table and
> that, in turn, is acting exactly like a stateful firewall.
>
> One example.  That's all I ask.  One example of a security feature which
> NAT provides which is not present in any decent stateful firewall.
>
>    
>> In fact, it's one of the most
>> critical things a consumer can do.  Security expert Steve Gibson
>> recommends using a router exactly for this reason.
>>      
> If he wrote "router" then he meant something else more general or he's
> using incorrect terminology, which wouldn't be the first time for SG, in
> fact that's a frequent occurrence with him.  Some of us in the security
> business consider ole SG to be a bit of a hack (in the publishing media
> sense of the word) at times.
>
> NAT != router
> router != NAT
>
> A NAT device is not exactly a router.  It could be considered to be a
> special case, particular category of router but the term "router" is
> much more general.  I know they label these things as "cable routers"
> and such but they are NAT devices.  OTOH, a router is another good
> example where things can get confusing.  Many many routers, real
> routers, include packet filters and often stateful packet filters.  So a
> firewall can act as a router and a router can act as a firewall and your
> IPv6 router would most certainly include an IPv6 stateful packet filter
> (since most of them are based on Linux anyways).  A router, a real
> router, does not necessarily do NAT.  That's a separate feature from
> routing.  So what SG wrote could be construed to be 100% correct and yet
> NOT mean you must have a NAT device.  Only a router (implicitly with a
> firewall).
>
>    
>> This alone, will
>> prevent many attacks on older or unpatched systems which would otherwise
>> contract a virus immediately on connection to the net.
>>      
> Which is also exactly what you get with a firewall or a router
> containing a firewall.
>
>    
>> I know this
>> because I've actually experienced it when connecting a new computer to
>> the net years ago and it did immediately get a virus, never having
>> visited a web site.  Now that I know more, I would NEVER connect a PC
>> directly to the internet, unless I know it's patched first and has a
>> solid software firewall running.  The consumer doesn't care whether it's
>> NAT or Firewall that's protecting him, he just knows there are security
>> features in the device.
>>      
> What then aggravates me, as an internationally recognized and respected
> security professional, is that telling people it's the NAT that provides
> security is incorrect and perpetuates this myth that IPv6 could be less
> secure because it does not have NAT.  This is FALSE!  This is horribly
> FALSE!  You got security from the NAT device because your NAT devices
> behaves like a firewall (and not all do).  You have to have a router for
> IPv6 anyways and those routers contain firewalls.  You're just as
> secure.
>
>    
>> I KNOW the router is providing this protection
>> because I can do a port scan (such as Shields Up) against my public IP
>> and every port is STEALTH, meaning totally unresponsive to unsolicited
>> traffic.  Even my Linux software firewall running with Firestarter
>> doesn't do that, it only closes the ports.  I'm pretty sure that
>> stealthing all the ports to the outside world would totally prevent the
>> instant virus event that I described, because that attack succeeded by
>> getting to an open port on the PC and crashing something.  Assuming the
>> router is working correctly, there is no way any attacker can penetrate
>> into my network unless he / she's piggy backing on top of a connection
>> I've already started.  Hopefully, even that would be hard.  The firewall
>> completely blocks all the hostile background radiation.  Of course, If I
>> click on a malicious link or visit a malicious website, knowingly or
>> unknowingly, and invite the virus in through the firewall, that's a
>> different matter.
>>      
>    
>> Also, you said NAT does not provide any security.  That's a very strong
>> statement.  While it is not a security system, per se, you said in your
>> other long post that NAT prevents you from connecting to family members'
>> computers to do maintenance.
>>      
> Ok...  That was probably Michael T there.  I didn't post that.  But we
> come right back to it again.  You get the same thing from a firewall.
> And it you want to open up a connection from your network to their
> network, you can do it without these NAT bypass headstands that don't
> work for more than one address behind the NATs.
>
>    
>> Well, that means it's also helping prevent
>> hackers from connecting as well.
>>      
> Firewall.
>
>    
>> So, it's providing SOME security, even
>> if minimal.
>>      
> Firewall.  The NAT is not.  It's the firewalling behavior of the NAT
> device.  It's the device, it's not the NAT.
>
>    
>> The combination of the firewall function of the router and
>> the NAT function of the router go a long way toward preventing
>> unsolicited malicious traffic from entering a home network.
>>      
> No, only the firewall feature (which includes the state engine of the
> NAT whether some people want to call it or consider it to be a firewall
> or not).
>
>    
>> I believe
>> it is inappropriate to advise people in such a way that they might be
>> inclined to place PC's in direct contact with the Internet.  In fact, I
>> think we should say, to the general consumer, Windows, Mac, or Linux,
>> that you should NEVER connect your PC directly to the internet,
>>      
> Did I say that?  Really?  Where have I said that?  I've been preaching
> firewall over and over again.  The v6 routers have firewalls.  You have
> to have one if you are going to have a v6 network.
>
>    
>> to the
>> cable or DSL modem, unless they know what they are doing AND have a
>> properly set up software firewall on the PC AND the PC is properly
>> patched.  The only way they will get the advantage of this security
>> protection is to connect the WAN port of a router type device with
>> firewall functionality to the cable or DSL modem and to connect the PC
>> to the SWITCH port or wifi of the router.  Finally, until we all have
>> IPv6, NAT is mandatory for any consumer who wants to attach more than
>> one computer or internet device at home, and that would include most of us.
>>      
> No.  NAT is NOT mandatory.  A firewall is.  NAT will perform that
> function as a firewall but it's not the only thing that can provide that
> function.  You don't need NAT.  You need a Firewall with or without NAT.
> Pure "NAT" is neither necessary nor sufficient.  Consumer grade
> commodity NAT DEVICES provide the functionality of NAT, router, and
> firewall all on one box.  You don't need the NAT.  You get the same
> security from the router and firewall (or firewall alone if you use it
> in-line).
>
>    
>> Sincerely,
>>
>> Ron
>>
>>
>> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
>>      
>>> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
>>>
>>>        
>>>> It also keeps the outside world from connecting to the inside (behind
>>>> firewall) world, What functions that way in your above scenerio,
>>>> firewall
>>>> rules ?
>>>>
>>>>          
>>> Everyone gather round.  Say it with me:
>>>
>>>                        NAT is not a security mechanism.
>>>
>>> Seriously.  I mean it.
>>>
>>>            Let me repeat that: NAT is not a security mechanism.
>>>
>>> It was intended to enable privately addressed networks to have limited
>>> communication with hosts on the Internet.  It has the side effect of
>>> using tables to figure out how to rewrite packets, but this does not
>>> provide any security.  It does not.
>>>
>>>              One more time: NAT IS NOT A SECURITY MECHANISM.
>>>
>>> Or to put it another way:  NAT is as effective at providing security for
>>> your network as groping at airports is for providing security there.
>>> It's all a show; it's faux security that makes people feel better but
>>> does not serve any real purpose.
>>>
>>> I've gone on about NAT recently in other threads here.  You can find
>>> those, or you can read the post I wrote in my blog about NAT if you
>>> want:
>>>
>>> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
>>>
>>> 	--- Mike
>>>
>>>
>>>        

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list