|
Posted by Todd H. on January 15, 2008, 10:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Al Dykes wrote:
>
>
> > Good point. A NAT router is just part of the safe computing toolbox.
>
> Since a NAT router doesn't provide any security by itself, I fail to
> see how it could be part of a security concept. After all, NAT is
> supposed to provide, not to limit connectivity (and the RFC explicitly
> states so).
As you know, but conveniently omit from teh discussion, every home
gateway seems to implement NAT in addition to stateful packet
inspection ingress filtering.
No, they do not limit outbound access at all, so once an internal host
is compromised, they don't do anything for ya.
> > You need ant-virus software.
>
> Need?
Coal miners didn't "need" canaries in their mines, but they made the
work environment a bit easier to abandon and remediate when/if the
canaries keeled over.
> > I also use and recommend the etc/hosts file distributed by these
> > good folks.
>
> Which is about the most stupid suggestion of the month.
Please, regale us of your contrarian reasoning for this.
It's actually something I think is a decent approach, so long as one
reviews the list to make sure nothing untoward is going on.
> > Anti-spyware gets run once in a while, too.
>
> Well, yeah, to show how incompetent it is. But where's the relation to
> security? It's not like the output of such software would have any
> relevance whatsoever.
See canary analogy above.
Best Regards,
--
Todd H.
http://www.toddh.net/
|
|
Posted by Sebastian G. on January 15, 2008, 2:38 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Todd H. wrote:
> As you know, but conveniently omit from teh discussion, every home
> gateway seems to implement NAT in addition to stateful packet
> inspection ingress filtering.
And NAT by itself doesn't provide any security.
> No, they do not limit outbound access at all, so once an internal host
> is compromised, they don't do anything for ya.
The typical collusion that one can trigger NAT states from the client side
without compromising the host due to bad protocol parsers, header injection,
command injection,Java or Flash, it's once anything a clear statement
against NAT.
> Coal miners didn't "need" canaries in their mines, but they made the
> work environment a bit easier to abandon and remediate when/if the
> canaries keeled over.
Which is about the description of a host-based intrusion detection system.
Indeed, that's what virus scanners might be good for, but that's clearly
distinct from protection or necessity.
>>> I also use and recommend the etc/hosts file distributed by these
>>> good folks.
>> Which is about the most stupid suggestion of the month.
>
> Please, regale us of your contrarian reasoning for this.
Well, let's see... aside from breaking DNS, breaking DNS caching, slowing
down the system, and the trivial fact that the HOSTS file is not writable
for any user, it faces three big disadvantages:
1. quite some application use SOCKOPT_NO_HOSTS, which totally voids the effect
2. it interferes with all application for any user on the machine, not the
just the ones where it's needed
3. it's the most inefficient and furtile way to do filtering by hostname. It
doesn't provide any wildcards, RegExps or just hostname collation, and the
"bad guys" trivially circumvent it with wildcards in the own DNS servers,
allowing them to use randomly generated subdomains like
"dsjklasjkhdbasajkghdkgsajhdgjhsagdjhg.malware.org", which surely no sane
list of hostnames could ever address.
> It's actually something I think is a decent approach, so long as one
> reviews the list to make sure nothing untoward is going on.
Oh well, that's another big disadvantage...
>> Well, yeah, to show how incompetent it is. But where's the relation to
>> security? It's not like the output of such software would have any
>> relevance whatsoever.
>
> See canary analogy above.
Well, just that the analogy doesn't hold. The output of the typical
"anti-spyware" crap is absolutely useless, both in sense of false positives
and false negatives.
Sorry, but if it shows me 50+ string warnings on a perfectly clean system,
and some of these even turn out to be implemented security configurations,
it's obviously broken. If it tries to write 5000+ CLSID entries into HKLM,
fails due to missing permissions, and then suggests to try again over and
over, it's so obviously broken. If it shows an empty GUI due to expecting a
non-guaranteed DLL, it's horribly broken. And that's really just the tip of
the ice berg.
|
|
Posted by Al Dykes on January 15, 2008, 2:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options >Todd H. wrote:
>
>> As you know, but conveniently omit from teh discussion, every home
>> gateway seems to implement NAT in addition to stateful packet
>> inspection ingress filtering.
>
>
>And NAT by itself doesn't provide any security.
>
That statement is wrong.
|
|
Posted by Sebastian G. on January 15, 2008, 3:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> And NAT by itself doesn't provide any security.
>>
> That statement is wrong.
Yes, it's so wrong that it's even written in the RFC that defines NAT...
|
|
Posted by Leythos on January 15, 2008, 4:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Al Dykes wrote:
>
>
> >> And NAT by itself doesn't provide any security.
> >>
> > That statement is wrong.
>
> Yes, it's so wrong that it's even written in the RFC that defines NAT...
NAT in a 1:1 solution does not provide any security at all.
NAT in a 1:MANY provides great unsolicited inbound protection.
Almost every implementation of NAT in home/SOHO appliances is defaulted
to 1:MANY NAT - so it does provide a great level of inbound security.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
|
| Similar Threads | Posted | | why wireless router cheaper than plain router? | June 15, 2005, 11:40 am |
| Connecting to VPN Router That's Behind Another Router | January 29, 2008, 8:06 pm |
| Router/Firewall/VPN Appliance vs. Router and firewall appliances | May 4, 2006, 5:28 pm |
| router contains a built-in switch versus router without a built-in switch | September 14, 2005, 10:22 pm |
| 56k router with nat | May 4, 2005, 10:46 pm |
| router | May 13, 2005, 1:05 pm |
| Do I need a new router? | August 13, 2005, 11:09 pm |
| do i need a new router | September 19, 2005, 7:58 pm |
| Help with router | December 30, 2005, 9:06 am |
| NAT Router | March 27, 2007, 11:53 am |
|
XML site map