[ale] V6 question

Geoffrey Myers lists at serioustechnology.com
Tue Feb 8 08:00:33 EST 2011


Michael H. Warfield wrote:
> On Sat, 2011-02-05 at 15:51 -0500, Ron Frazier wrote: 
>> Hi, Michael Warfield,
>>
>> Just so you know, my message that you are replying to was a reply to 
>> Michael Trausch.  Not that it matters.  Anybody can reply to any 
>> message.  I just didn't know if you thought I was referring to you.  
>> I'll look in more detail at your post later.
> 
> Actually I did think you were referring to me.  It's even more confusing
> that Michael T and are arguing the same points and are on the same page
> with this.  He and I agree.

I think the key point here is, that although the router provides the NAT 
and the firewall, these are two distinct functionalities.  NAT does not 
provide any type of security.  You could run NAT and turn off the 
firewall on the router.

> 
>> Sincerely,
>>
>> Ron
>>
>>
>> On 02/05/2011 03:34 PM, Michael H. Warfield wrote:
>>> On Sat, 2011-02-05 at 14:23 -0500, Ron Frazier wrote:
>>>    
>>>> Michael,
>>>>
>>>> I'm not trying to be divisive, or offensive, but I don't think you are
>>>> stating this case correctly.  You posted a very long reply to one of my
>>>> other messages, and discussed this in depth.  I hope to digest that
>>>> later.  However, every consumer NAT router I'm aware of has a function
>>>> completely separate from NAT, which would be in effect with or without
>>>> NAT, and that is the firewall function of the device.  That is primarily
>>>> what provides security.  And it most certainly does provide security
>>>> which is meaningful.  You're acting like putting a NAT router at the
>>>> boundary of your home internet connection has no security value, or at
>>>> least that's what it sounds like.
>>>>      
>>> No security value over that of a simple router with a stateful packet
>>> filtering firewall, i.e. netfilter / iptables.  Give me one example of
>>> some security feature that NAT gives you that iptables does not.
>>> Consumer grade NAT devices have a state engine at their core that drives
>>> the NAT mapping tables.  Not all NAT's have this.  Most (maybe all) that
>>> you will ever encounter will, I agree.  But the fact remains that a
>>> stateful firewall provides the same protection as the NAT box and is far
>>> simpler.  I can quote more than one enterprise level NAT device which
>>> provides no security.  So NAT in and of itself doesn't provide the
>>> security.  It's provided by the statefulness of the mapping table and
>>> that, in turn, is acting exactly like a stateful firewall.
>>>
>>> One example.  That's all I ask.  One example of a security feature which
>>> NAT provides which is not present in any decent stateful firewall.
>>>
>>>    
>>>> In fact, it's one of the most
>>>> critical things a consumer can do.  Security expert Steve Gibson
>>>> recommends using a router exactly for this reason.
>>>>      
>>> If he wrote "router" then he meant something else more general or he's
>>> using incorrect terminology, which wouldn't be the first time for SG, in
>>> fact that's a frequent occurrence with him.  Some of us in the security
>>> business consider ole SG to be a bit of a hack (in the publishing media
>>> sense of the word) at times.
>>>
>>> NAT != router
>>> router != NAT
>>>
>>> A NAT device is not exactly a router.  It could be considered to be a
>>> special case, particular category of router but the term "router" is
>>> much more general.  I know they label these things as "cable routers"
>>> and such but they are NAT devices.  OTOH, a router is another good
>>> example where things can get confusing.  Many many routers, real
>>> routers, include packet filters and often stateful packet filters.  So a
>>> firewall can act as a router and a router can act as a firewall and your
>>> IPv6 router would most certainly include an IPv6 stateful packet filter
>>> (since most of them are based on Linux anyways).  A router, a real
>>> router, does not necessarily do NAT.  That's a separate feature from
>>> routing.  So what SG wrote could be construed to be 100% correct and yet
>>> NOT mean you must have a NAT device.  Only a router (implicitly with a
>>> firewall).
>>>
>>>    
>>>> This alone, will
>>>> prevent many attacks on older or unpatched systems which would otherwise
>>>> contract a virus immediately on connection to the net.
>>>>      
>>> Which is also exactly what you get with a firewall or a router
>>> containing a firewall.
>>>
>>>    
>>>> I know this
>>>> because I've actually experienced it when connecting a new computer to
>>>> the net years ago and it did immediately get a virus, never having
>>>> visited a web site.  Now that I know more, I would NEVER connect a PC
>>>> directly to the internet, unless I know it's patched first and has a
>>>> solid software firewall running.  The consumer doesn't care whether it's
>>>> NAT or Firewall that's protecting him, he just knows there are security
>>>> features in the device.
>>>>      
>>> What then aggravates me, as an internationally recognized and respected
>>> security professional, is that telling people it's the NAT that provides
>>> security is incorrect and perpetuates this myth that IPv6 could be less
>>> secure because it does not have NAT.  This is FALSE!  This is horribly
>>> FALSE!  You got security from the NAT device because your NAT devices
>>> behaves like a firewall (and not all do).  You have to have a router for
>>> IPv6 anyways and those routers contain firewalls.  You're just as
>>> secure.
>>>
>>>    
>>>> I KNOW the router is providing this protection
>>>> because I can do a port scan (such as Shields Up) against my public IP
>>>> and every port is STEALTH, meaning totally unresponsive to unsolicited
>>>> traffic.  Even my Linux software firewall running with Firestarter
>>>> doesn't do that, it only closes the ports.  I'm pretty sure that
>>>> stealthing all the ports to the outside world would totally prevent the
>>>> instant virus event that I described, because that attack succeeded by
>>>> getting to an open port on the PC and crashing something.  Assuming the
>>>> router is working correctly, there is no way any attacker can penetrate
>>>> into my network unless he / she's piggy backing on top of a connection
>>>> I've already started.  Hopefully, even that would be hard.  The firewall
>>>> completely blocks all the hostile background radiation.  Of course, If I
>>>> click on a malicious link or visit a malicious website, knowingly or
>>>> unknowingly, and invite the virus in through the firewall, that's a
>>>> different matter.
>>>>      
>>>    
>>>> Also, you said NAT does not provide any security.  That's a very strong
>>>> statement.  While it is not a security system, per se, you said in your
>>>> other long post that NAT prevents you from connecting to family members'
>>>> computers to do maintenance.
>>>>      
>>> Ok...  That was probably Michael T there.  I didn't post that.  But we
>>> come right back to it again.  You get the same thing from a firewall.
>>> And it you want to open up a connection from your network to their
>>> network, you can do it without these NAT bypass headstands that don't
>>> work for more than one address behind the NATs.
>>>
>>>    
>>>> Well, that means it's also helping prevent
>>>> hackers from connecting as well.
>>>>      
>>> Firewall.
>>>
>>>    
>>>> So, it's providing SOME security, even
>>>> if minimal.
>>>>      
>>> Firewall.  The NAT is not.  It's the firewalling behavior of the NAT
>>> device.  It's the device, it's not the NAT.
>>>
>>>    
>>>> The combination of the firewall function of the router and
>>>> the NAT function of the router go a long way toward preventing
>>>> unsolicited malicious traffic from entering a home network.
>>>>      
>>> No, only the firewall feature (which includes the state engine of the
>>> NAT whether some people want to call it or consider it to be a firewall
>>> or not).
>>>
>>>    
>>>> I believe
>>>> it is inappropriate to advise people in such a way that they might be
>>>> inclined to place PC's in direct contact with the Internet.  In fact, I
>>>> think we should say, to the general consumer, Windows, Mac, or Linux,
>>>> that you should NEVER connect your PC directly to the internet,
>>>>      
>>> Did I say that?  Really?  Where have I said that?  I've been preaching
>>> firewall over and over again.  The v6 routers have firewalls.  You have
>>> to have one if you are going to have a v6 network.
>>>
>>>    
>>>> to the
>>>> cable or DSL modem, unless they know what they are doing AND have a
>>>> properly set up software firewall on the PC AND the PC is properly
>>>> patched.  The only way they will get the advantage of this security
>>>> protection is to connect the WAN port of a router type device with
>>>> firewall functionality to the cable or DSL modem and to connect the PC
>>>> to the SWITCH port or wifi of the router.  Finally, until we all have
>>>> IPv6, NAT is mandatory for any consumer who wants to attach more than
>>>> one computer or internet device at home, and that would include most of us.
>>>>      
>>> No.  NAT is NOT mandatory.  A firewall is.  NAT will perform that
>>> function as a firewall but it's not the only thing that can provide that
>>> function.  You don't need NAT.  You need a Firewall with or without NAT.
>>> Pure "NAT" is neither necessary nor sufficient.  Consumer grade
>>> commodity NAT DEVICES provide the functionality of NAT, router, and
>>> firewall all on one box.  You don't need the NAT.  You get the same
>>> security from the router and firewall (or firewall alone if you use it
>>> in-line).
>>>
>>>    
>>>> Sincerely,
>>>>
>>>> Ron
>>>>
>>>>
>>>> On 02/05/2011 12:46 PM, Michael B. Trausch wrote:
>>>>      
>>>>> On Sat, 2011-02-05 at 12:39 -0500, Mike Harrison wrote:
>>>>>
>>>>>        
>>>>>> It also keeps the outside world from connecting to the inside (behind
>>>>>> firewall) world, What functions that way in your above scenerio,
>>>>>> firewall
>>>>>> rules ?
>>>>>>
>>>>>>          
>>>>> Everyone gather round.  Say it with me:
>>>>>
>>>>>                        NAT is not a security mechanism.
>>>>>
>>>>> Seriously.  I mean it.
>>>>>
>>>>>            Let me repeat that: NAT is not a security mechanism.
>>>>>
>>>>> It was intended to enable privately addressed networks to have limited
>>>>> communication with hosts on the Internet.  It has the side effect of
>>>>> using tables to figure out how to rewrite packets, but this does not
>>>>> provide any security.  It does not.
>>>>>
>>>>>              One more time: NAT IS NOT A SECURITY MECHANISM.
>>>>>
>>>>> Or to put it another way:  NAT is as effective at providing security for
>>>>> your network as groping at airports is for providing security there.
>>>>> It's all a show; it's faux security that makes people feel better but
>>>>> does not serve any real purpose.
>>>>>
>>>>> I've gone on about NAT recently in other threads here.  You can find
>>>>> those, or you can read the post I wrote in my blog about NAT if you
>>>>> want:
>>>>>
>>>>> http://mike.trausch.us/blog/2011/01/31/more-about-networking-part-2-nat/
>>>>>
>>>>> 	--- Mike
>>>>>
>>>>>
>>>>>        
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-- 
Until later, Geoffrey

"I predict future happiness for America if they can prevent
the government from wasting the labors of the people under
the pretense of taking care of them."
- Thomas Jefferson


More information about the Ale mailing list