[ale] V6 question
Ron Frazier
atllinuxenthinfo at c3energy.com
Sat Feb 5 14:23:45 EST 2011
Michael,
I'm not trying to be divisive, or offensive, but I don't think you are
stating this case correctly. You posted a very long reply to one of my
other messages, and discussed this in depth. I hope to digest that
later. However, every consumer NAT router I'm aware of has a function
completely separate from NAT, which would be in effect with or without
NAT, and that is the firewall function of the device. That is primarily
what provides security. And it most certainly does provide security
which is meaningful. You're acting like putting a NAT router at the
boundary of your home internet connection has no security value, or at
least that's what it sounds like. In fact, it's one of the most
critical things a consumer can do. Security expert Steve Gibson
recommends using a router exactly for this reason. This alone, will
prevent many attacks on older or unpatched systems which would otherwise
contract a virus immediately on connection to the net. I know this
because I've actually experienced it when connecting a new computer to
the net years ago and it did immediately get a virus, never having
visited a web site. Now that I know more, I would NEVER connect a PC
directly to the internet, unless I know it's patched first and has a
solid software firewall running. The consumer doesn't care whether it's
NAT or Firewall that's protecting him, he just knows there are security
features in the device. I KNOW the router is providing this protection
because I can do a port scan (such as Shields Up) against my public IP
and every port is STEALTH, meaning totally unresponsive to unsolicited
traffic. Even my Linux software firewall running with Firestarter
doesn't do that, it only closes the ports. I'm pretty sure that
stealthing all the ports to the outside world would totally prevent the
instant virus event that I described, because that attack succeeded by
getting to an open port on the PC and crashing something. Assuming the
router is working correctly, there is no way any attacker can penetrate
into my network unless he / she's piggy backing on top of a connection
I've already started. Hopefully, even that would be hard. The firewall
completely blocks all the hostile background radiation. Of course, If I
click on a malicious link or visit a malicious website, knowingly or
unknowingly, and invite the virus in through the firewall, that's a
different matter.
Also, you said NAT does not provide any security. That's a very strong
statement. While it is not a security system, per se, you said in your
other long post that NAT prevents you from connecting to family members'
computers to do maintenance. Well, that means it's also helping prevent
hackers from connecting as well. So, it's providing SOME security, even
if minimal. The combination of the firewall function of the router and
the NAT function of the router go a long way toward preventing
unsolicited malicious traffic from entering a home network. I believe
it is inappropriate to advise people in such a way that they might be
inclined to place PC's in direct contact with the Internet. In fact, I
think we should say, to the general consumer, Windows, Mac, or Linux,
that you should NEVER connect your PC directly to the internet, to the
cable or DSL modem, unless they know what they are doing AND have a
properly set up software firewall on the PC AND the PC is properly
patched. The only way they will get the advantage of this security
protection is to connect the WAN port of a router type device with
firewall functionality to the cable or DSL modem and to connect the PC
to the SWITCH port or wifi of the router. Finally, until we all have
IPv6, NAT is mandatory for any consumer who wants to attach more than
one computer or internet device at home, and that would include most of us.
Sincerely,
Ron
On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
>
>> It also keeps the outside world from connecting to the inside (behind
>> firewall) world, What functions that way in your above scenerio,
>> firewall
>> rules ?
>>
> Everyone gather round. Say it with me:
>
> NAT is not a security mechanism.
>
> Seriously. I mean it.
>
> Let me repeat that: NAT is not a security mechanism.
>
> It was intended to enable privately addressed networks to have limited
> communication with hosts on the Internet. It has the side effect of
> using tables to figure out how to rewrite packets, but this does not
> provide any security. It does not.
>
> One more time: NAT IS NOT A SECURITY MECHANISM.
>
> Or to put it another way: NAT is as effective at providing security for
> your network as groping at airports is for providing security there.
> It's all a show; it's faux security that makes people feel better but
> does not serve any real purpose.
>
> I've gone on about NAT recently in other threads here. You can find
> those, or you can read the post I wrote in my blog about NAT if you
> want:
>
> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
>
> --- Mike
>
>
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list