[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

On 13/07/11 02:08, Paul E Condon wrote:
> On 20110712_121304, Scott Ferguson wrote:
>> On 12/07/11 07:58, Paul E Condon wrote:
>>> On 20110710_225108, Erwan David wrote:
>>>> On 10/07/11 20:34, Randy Kramer wrote:
>>>>>
<snipped>
> 
> It seems to me that it is entirely possible to design a box like the
> one I bought that includes all the features/functions needed for good
> security in a small home or office. Possible to design by a competent,
> but not design by me. 

To design maybe not (without study), to build - yes.

> So, it might be that my Netgear box provides me
> a reasonable level of security for the computers in my home. 

Yes

> 
> It is also possible that my box is a real piece of junk. And it is
> possible that my box is adequate for me, but is a real peice of junk
> when judged by the standards of industrial grade hardware for the 
> backbone of the Internet. So, can you give some mildly loguacious

loquacious? :-)

> advice about how I might go about discovering whether my Netgear box
> really meets my security needs? 

No.
Is that succinct enough? :-)

I don't know what your needs are. But when properly configured your
Netgear (model unknown) should do the job.
NOTE: I have no idea what the "job" is in your case - are a "high value"
attack target?

> I have no intention of becoming a
> networking security guru. I know (at least some of) my limitations.
>  
> In summary, I think OP made the innocent error that I have been making
> of over generalizing about NAT. Is there a mix of features and
> technologies that is generally accepted as adequate for security of a
> small office, or home? 

Stateful packet inspection (carefully maintained and kept updated),
segmented network, careful port forwarding and pinholes, separate
valuables, keep backups offsite, consider convenience as evil...

To paraphrase Bruce Schneier - security is not something you can buy,
it's something you must get (it's an ongoing process and approach, not a
product)

Best advice I can give is don't put anything on a router/firewall that
isn't absolutely necessary - minimises things that can go wrong and what
needs to be maintained. If you have a look at the debian-firewall list
you'll see what is lacking (for me) in IPCop.

It's a contentious subject and there probably isn't a "right" answer.

> And is this mix sold as a single package
> through retail channels? 

You can buy a Smoothwall device - if you're comfortable trusting a
company. Cisco make some nice gear.

And how can I know a good one from a bad one?

Your heart will tell you... ;-p

Too subjective to answer here, and I'm not adequately qualified.
IMHO IPCop and it's extensions embody most of the average needs of a
firewall/router - and it's not difficult to implement the same thing in
Debian - hard to briefly describe what you should and shouldn't look
for, there are plenty of alternatives to IPCop - but most lack the
flexibility, or ease of use by non-professionals.

<snipped>

Cheers

-- 
"Eternal suffering awaits anyone who questions god's infinite love."
~ Bill Hicks
Reply to: