|
Posted by Mr. Arnold on September 10, 2007, 7:50 am
If you were Registered and logged in, you could reply and use other advanced thread options
>>>> And as long as XP's FW is sitting behind that NAT router, because XP's
>>>> FW
>>>> can only stop inbound traffic just like the NAT router, then using the
>>>> XP
>>>> FW
>>>> router behind the NAT router is pointless. It buys you nothing.
>>> This is wrong.
>> You're going to have to come up with more than just wrong. If that router
>> is
>> using SPI, then how is Windows using the XP FW doing any more than that.
>
> Usually, such routers (as other packet filters, too) implement
> heuristics to implement protocols like FTP, which cannot be filtered
> easily.
The person didn't say he was using FTP.
>
> Because of that, they're vulnerable.
>
> This is why shutting down unwanted network services is much more secure
> than packet filtering.
Man, tell me something I don't know.
>
> Having two different packet filters can help with some issues, if you
> know exactly what you're doing.
And if you know exactly what you're doing, you don't need one running behind
a border device.
>
> I'm not requesting you to do so. I just wanted to point out, that you
> forgot some scenarios, where your original statement is not true.
>
>>> Following the "defense in depth" strategy, the heuristics used for
>>> packet filtering usually have holes, so a second filtering could help.
>> I disagree. The only time it makes sense is if the first solution like a
>> NAT
>> router cannot stop outbound traffic, then a packet filtering solution at
>> the
>> machine level sitting behind a NAT router that cannot stop outbound makes
>> sense.
>
> Your mistake is to believe in NAT as a security feature. The opposite is
> true. The security comes from filtering, not from NAT.
>
I never said that NAT was a security feature. A router is a border device
that acts in a FW like manner that is using NAT, and some even with SPI,
which separates two networks. And then there are packet filtering FW routers
that this OP has, which is a WRT54G router.
You forget that I have been in this NG since 2001, and I have talked with
and taken the advice of the best in this NG. Please man don't talk to me
about this, as I already know. In a wireless situation like this person has,
I would us a packet filter behind the router.
I don't run with packet filters on my machine behind a FW appliance. It's as
simple as that, and I wouldn't do it for some routers either. It's a simple
as that.
The OP can do what he wants. It's his network and not my network.
Please man, what you are talking about to me is pointless.
I am not here for a debate with you or any argument about this, that or the
other, and you need to stop or slow your roll on this, because I am already
tired of it.
| 
XML site map