Re: selecting old machines for firewall/router use

[Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>]

Hi,

Pascal Hambourg wrote:
> Andrew McGlashan a écrit :
> > Well .... NAT does have it's advantages, one being that it can act as a 
> > reasonably good barrier as a NATural firewall.
>
> This is a common misconception. I cannot tell about other NAT's, but
> Netfilter NAT is not a barrier at all.

It's a good start with private addressing as alluded to below.

> > but if you have every device with IPv6 (or v4 for that matter) being 
> > addressable from any location,
>
> NAT does not prevent this. Private (for IPv4) or unique local (for IPv6)
> addressing prevents it.

Yes, this is what you typically have with NAT, private addresses that 
are not Internet routeable.

> > then personal firewalls will become much more important.
> >
> > An unpatched machine [for whatever reason], behind NAT has a fighting 
> > chance, but one which is directly addressable from the Internet is much 
> > more vulnerable to attack.
>
> This is not correct. A stateful packet filter replacing the NAT at the
> border will just do the job.

Of course, most [if not all?] NAT implementations also have SPI 
[stateful packet inspection] feature as well; And many routers have the 
ability to add firewall rules with port forwarding as required on top of 
NAT / SPI setup.


And from the further reading referenced in the other response [1]

  I highlight an excellent point here:
    <quote>
    It must be noted that even a firewall doesn't fully secure
    a network. Many attacks come from inside or are at a layer
    higher than the firewall can protect against. In the final
    analysis, every system has to be responsible for its own
    security, and every process running on a system has to be
    robust in the face of challenges like stack overflows etc.
    What a firewall does is prevent a network administration
    from having to carry unauthorized
    traffic, and in so doing reduce the probability of certain
    kinds of attacks across the protected boundary.
    </quote>

Particularly, "every machine has to be responsible ... ", well, that 
illustrates quite well that a firewall and port forwarding alone are not 
enough for security when servicing ports.  But again, it is a good 
start.  Sure, any services provided must be kept as secure as possible 
and admins need to keep an eye out for security advisories for such 
services.

Very glad to see that NAT might not be needed in the whole scheme of 
things; However, I take it that return conversation needs to know the 
public IPv6 address and also encapsulate the private address -- thus 
exposing the private ULA range?  With NAT, the actual, in use private 
range is not necessarily divulged, is it?


[1] http://tools.ietf.org/html/draft-ietf-v6ops-nap-06#section-4.1

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP