Re: Notifying user of open Internet access

From: Juergen Nieveler (juergen.nieveler.nospam_at_arcor.de)
Date: 12/15/04


Date: 15 Dec 2004 12:44:45 GMT

Leythos <void@nowhere.lan> wrote:

>> But it will cause work, and will make Internet access more expensive
>> for everyone. I don't care about the dumb ones - they don't cause
>> nearly enough problems to get an ulcer about them. Let them run
>> unprotected until they upgrade to the next OS, which will solve the
>> problem. In the meantime, Darwin will do the rest...
>
> Actually, it doesn't cause any MORE work, since most of the routers
> installed (cable/dsl modems) are already capable of NAT, and some
> ISP's already install them with NAT enabled.

You think everybody has broadband? I've got 64k dialup and get
charged per minute - I won't install a router.

> If you believe this (Darwin) then you've not look at the stats, there
> are still a great many people running W98 and tons running XP without
> any service packs.

Yes, and sooner or later a virus will come and erase their harddrive.

> And since SP2 has been release there have been at least two more
> updates, and also two more viruses that can bypass SP2's firewall, so,
> it not like Windows is going to make sweeping changes any time soon.

You were talking about open ports. SP2 solved that. You can't protect
lusers against viruses, because by definition a luser will run a
virus. The only solution is to educate lusers and turn them into
users - but that can't be done by installing a magic box at the ISP.

>> It will cause work, and it will cost money - or do you think the ISPs
>> will fork out the money for bigger routers (that can cope with the
>> load of the additional ACLs) and not raise their prices?
>
> Nope, they already have what it takes, they just have to enable NAT
> mode on their devices and it's up and running.

Do you have any idea how much performance enabling NAT on the routers
would cost? NAT involves a lot of processing on the router,
especially if you want to do it for all the users of a medium-sized
ISP... many ISPs would have to replace their routers because their
original network design didn't take this additional load into
account. We're talking about replacing gear that costs more than
100,000 bucks, not about those tinkertoys the users have at home -
that would only work for DSL- and Cablemodem-users, but they are
still the minority: The rest use dialup- access!

>> NAT will be gone when the Internet goes to IPv6, simply because NAT
>> won't make sense anymore then. Your company needs IP space? No
>> problem, here's a chunk of addresses twice as large as a class-A net
>> of IPv4, and you can have more if you like...
>
> That doesn't make a compelling reason to a change, unless you need a
> larger block you have to reason to make the expensive change, and the
> change would be expensive.

You'll have to change to IPv6 eventually anyway... and when you do,
you'll have to replace your router.

>> NAT is a cumbersome cludge - if you ever had to get an FTP server
>> reachable behind a NAT, you'll know what I mean. IPv6 will make
>
> Actually, I have 4 of them running behind a firewall and use private
> addressing on that segment - it's never caused a problem, works great,
> used by many.

Static IP NAT, or port based? ;-)

> Ah, so now, on top of having to change my IP scheme I also have to
> purchase a firewall appliance that does 1:1 mapping, so I can't use
> (not that I do anyway, but many do) a simple NAT router to isolate my
> computers, so the individual users COST goes way UP. Not to mention
> that it doesn't solve the problem of people connecting unsecured
> machines to that public IP and getting hacked.

The firewall won't do any mapping at all, after all both sides would
have public IP space. It would simply be a paket filter integrated
into the router that you'd have to have for 24/7 connectivity. On the
upside, however, you'd no longer need services like DynIP :-)

> You can't possibly really believe that common users are going to have
> completely secure systems any time soon, heck, even most installs of
> Linux are not secure out of the box, BSD is as close to secure as it
> gets.

Completely secure, no. But offering no services to the outside unless
explicitly told during installation to do so, yes. If the user is
dumb enough to install a component that he doesn't know about, its
Darwin time again. You can't build a completely user-proof PC, unless
you count the stuff sold by Fisher-Price.

> Until the time they invent a secure OS for dummies, I'll stick with a
> firewall or NAT box to protect the ignorant, since it doesn't require
> that the users know anything.

A NAT will not protect you against viruses and trojans. If something
like Skype can work without having to change the NAT configuration, a
trojan can work as well. NAT only prevents inbound connections, it
doesn't stop the insecure machine from connecting out and receiving
malicious instructions.

Juergen Nieveler

-- 
I'm terribly sorry, but I absolutely refuse to apologize


Relevant Pages

  • Re: New modem and iptables...
    ... The router performs firewall and NAT functions ... If you want to persuade me it's a modem, ... it's a router and _it_ has your public Internet address. ... It also does NAT (otherwise you couldn't have a private IP address on ...
    (Fedora)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (alt.computer.security)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)