[ale] V6 question

Michael H. Warfield mhw at WittsEnd.com
Sat Feb 5 16:00:47 EST 2011


On Sat, 2011-02-05 at 15:51 -0500, Ron Frazier wrote: 
> Hi, Michael Warfield,
> 
> Just so you know, my message that you are replying to was a reply to 
> Michael Trausch.  Not that it matters.  Anybody can reply to any 
> message.  I just didn't know if you thought I was referring to you.  
> I'll look in more detail at your post later.

Actually I did think you were referring to me.  It's even more confusing
that Michael T and are arguing the same points and are on the same page
with this.  He and I agree.

> Sincerely,
> 
> Ron
> 
> 
> On 02/05/2011 03:34 PM, Michael H. Warfield wrote:
> > On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote:
> >    
> >> Michael,
> >>
> >> I'm not trying to be divisive, or offensive, but I don't think you are
> >> stating this case correctly.  You posted a very long reply to one of my
> >> other messages, and discussed this in depth.  I hope to digest that
> >> later.  However, every consumer NAT router I'm aware of has a function
> >> completely separate from NAT, which would be in effect with or without
> >> NAT, and that is the firewall function of the device.  That is primarily
> >> what provides security.  And it most certainly does provide security
> >> which is meaningful.  You're acting like putting a NAT router at the
> >> boundary of your home internet connection has no security value, or at
> >> least that's what it sounds like.
> >>      
> > No security value over that of a simple router with a stateful packet
> > filtering firewall, i.e. netfilter / iptables.  Give me one example of
> > some security feature that NAT gives you that iptables does not.
> > Consumer grade NAT devices have a state engine at their core that drives
> > the NAT mapping tables.  Not all NAT's have this.  Most (maybe all) that
> > you will ever encounter will, I agree.  But the fact remains that a
> > stateful firewall provides the same protection as the NAT box and is far
> > simpler.  I can quote more than one enterprise level NAT device which
> > provides no security.  So NAT in and of itself doesn't provide the
> > security.  It's provided by the statefulness of the mapping table and
> > that, in turn, is acting exactly like a stateful firewall.
> >
> > One example.  That's all I ask.  One example of a security feature which
> > NAT provides which is not present in any decent stateful firewall.
> >
> >    
> >> In fact, it's one of the most
> >> critical things a consumer can do.  Security expert Steve Gibson
> >> recommends using a router exactly for this reason.
> >>      
> > If he wrote "router" then he meant something else more general or he's
> > using incorrect terminology, which wouldn't be the first time for SG, in
> > fact that's a frequent occurrence with him.  Some of us in the security
> > business consider ole SG to be a bit of a hack (in the publishing media
> > sense of the word) at times.
> >
> > NAT != router
> > router != NAT
> >
> > A NAT device is not exactly a router.  It could be considered to be a
> > special case, particular category of router but the term "router" is
> > much more general.  I know they label these things as "cable routers"
> > and such but they are NAT devices.  OTOH, a router is another good
> > example where things can get confusing.  Many many routers, real
> > routers, include packet filters and often stateful packet filters.  So a
> > firewall can act as a router and a router can act as a firewall and your
> > IPv6 router would most certainly include an IPv6 stateful packet filter
> > (since most of them are based on Linux anyways).  A router, a real
> > router, does not necessarily do NAT.  That's a separate feature from
> > routing.  So what SG wrote could be construed to be 100% correct and yet
> > NOT mean you must have a NAT device.  Only a router (implicitly with a
> > firewall).
> >
> >    
> >> This alone, will
> >> prevent many attacks on older or unpatched systems which would otherwise
> >> contract a virus immediately on connection to the net.
> >>      
> > Which is also exactly what you get with a firewall or a router
> > containing a firewall.
> >
> >    
> >> I know this
> >> because I've actually experienced it when connecting a new computer to
> >> the net years ago and it did immediately get a virus, never having
> >> visited a web site.  Now that I know more, I would NEVER connect a PC
> >> directly to the internet, unless I know it's patched first and has a
> >> solid software firewall running.  The consumer doesn't care whether it's
> >> NAT or Firewall that's protecting him, he just knows there are security
> >> features in the device.
> >>      
> > What then aggravates me, as an internationally recognized and respected
> > security professional, is that telling people it's the NAT that provides
> > security is incorrect and perpetuates this myth that IPv6 could be less
> > secure because it does not have NAT.  This is FALSE!  This is horribly
> > FALSE!  You got security from the NAT device because your NAT devices
> > behaves like a firewall (and not all do).  You have to have a router for
> > IPv6 anyways and those routers contain firewalls.  You're just as
> > secure.
> >
> >    
> >> I KNOW the router is providing this protection
> >> because I can do a port scan (such as Shields Up) against my public IP
> >> and every port is STEALTH, meaning totally unresponsive to unsolicited
> >> traffic.  Even my Linux software firewall running with Firestarter
> >> doesn't do that, it only closes the ports.  I'm pretty sure that
> >> stealthing all the ports to the outside world would totally prevent the
> >> instant virus event that I described, because that attack succeeded by
> >> getting to an open port on the PC and crashing something.  Assuming the
> >> router is working correctly, there is no way any attacker can penetrate
> >> into my network unless he / she's piggy backing on top of a connection
> >> I've already started.  Hopefully, even that would be hard.  The firewall
> >> completely blocks all the hostile background radiation.  Of course, If I
> >> click on a malicious link or visit a malicious website, knowingly or
> >> unknowingly, and invite the virus in through the firewall, that's a
> >> different matter.
> >>      
> >    
> >> Also, you said NAT does not provide any security.  That's a very strong
> >> statement.  While it is not a security system, per se, you said in your
> >> other long post that NAT prevents you from connecting to family members'
> >> computers to do maintenance.
> >>      
> > Ok...  That was probably Michael T there.  I didn't post that.  But we
> > come right back to it again.  You get the same thing from a firewall.
> > And it you want to open up a connection from your network to their
> > network, you can do it without these NAT bypass headstands that don't
> > work for more than one address behind the NATs.
> >
> >    
> >> Well, that means it's also helping prevent
> >> hackers from connecting as well.
> >>      
> > Firewall.
> >
> >    
> >> So, it's providing SOME security, even
> >> if minimal.
> >>      
> > Firewall.  The NAT is not.  It's the firewalling behavior of the NAT
> > device.  It's the device, it's not the NAT.
> >
> >    
> >> The combination of the firewall function of the router and
> >> the NAT function of the router go a long way toward preventing
> >> unsolicited malicious traffic from entering a home network.
> >>      
> > No, only the firewall feature (which includes the state engine of the
> > NAT whether some people want to call it or consider it to be a firewall
> > or not).
> >
> >    
> >> I believe
> >> it is inappropriate to advise people in such a way that they might be
> >> inclined to place PC's in direct contact with the Internet.  In fact, I
> >> think we should say, to the general consumer, Windows, Mac, or Linux,
> >> that you should NEVER connect your PC directly to the internet,
> >>      
> > Did I say that?  Really?  Where have I said that?  I've been preaching
> > firewall over and over again.  The v6 routers have firewalls.  You have
> > to have one if you are going to have a v6 network.
> >
> >    
> >> to the
> >> cable or DSL modem, unless they know what they are doing AND have a
> >> properly set up software firewall on the PC AND the PC is properly
> >> patched.  The only way they will get the advantage of this security
> >> protection is to connect the WAN port of a router type device with
> >> firewall functionality to the cable or DSL modem and to connect the PC
> >> to the SWITCH port or wifi of the router.  Finally, until we all have
> >> IPv6, NAT is mandatory for any consumer who wants to attach more than
> >> one computer or internet device at home, and that would include most of us.
> >>      
> > No.  NAT is NOT mandatory.  A firewall is.  NAT will perform that
> > function as a firewall but it's not the only thing that can provide that
> > function.  You don't need NAT.  You need a Firewall with or without NAT.
> > Pure "NAT" is neither necessary nor sufficient.  Consumer grade
> > commodity NAT DEVICES provide the functionality of NAT, router, and
> > firewall all on one box.  You don't need the NAT.  You get the same
> > security from the router and firewall (or firewall alone if you use it
> > in-line).
> >
> >    
> >> Sincerely,
> >>
> >> Ron
> >>
> >>
> >> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
> >>      
> >>> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
> >>>
> >>>        
> >>>> It also keeps the outside world from connecting to the inside (behind
> >>>> firewall) world, What functions that way in your above scenerio,
> >>>> firewall
> >>>> rules ?
> >>>>
> >>>>          
> >>> Everyone gather round.  Say it with me:
> >>>
> >>>                        NAT is not a security mechanism.
> >>>
> >>> Seriously.  I mean it.
> >>>
> >>>            Let me repeat that: NAT is not a security mechanism.
> >>>
> >>> It was intended to enable privately addressed networks to have limited
> >>> communication with hosts on the Internet.  It has the side effect of
> >>> using tables to figure out how to rewrite packets, but this does not
> >>> provide any security.  It does not.
> >>>
> >>>              One more time: NAT IS NOT A SECURITY MECHANISM.
> >>>
> >>> Or to put it another way:  NAT is as effective at providing security for
> >>> your network as groping at airports is for providing security there.
> >>> It's all a show; it's faux security that makes people feel better but
> >>> does not serve any real purpose.
> >>>
> >>> I've gone on about NAT recently in other threads here.  You can find
> >>> those, or you can read the post I wrote in my blog about NAT if you
> >>> want:
> >>>
> >>> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
> >>>
> >>> 	--- Mike
> >>>
> >>>
> >>>        
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110205/eef4a1f8/attachment.bin 


More information about the Ale mailing list