[AusNOG] /20 Available

Mike Jones mike at mikejones.in
Mon Jan 21 19:26:26 EST 2013


On 21 January 2013 08:14, Ross Wheeler <ausnog at rossw.net> wrote:
> NAT is not an intentional security measure, but the very fact that NOT A
> SINGLE ROUTER I'VE EVER SEEN port-forwards to the device on the NATed side
> by default (AKA the "DMZ host") affords the majority of the clueless masses
> a moderate degree of "isolation" from the untold number of probes and direct
> attacks against their operating systems - that (had they been on say, a
> modem or direct "live" connection) they would have fallen afoul of.
>
> So NAT may not be a "security measure" by design, but it sure is by effect.

How many IPv6 enabled devices need this protection and don't have a
stateful firewall on the host (which can do a better job) already? The
era of windows port scanning worms wasn't stopped by NATs, it was
stopped by XP turning on the firewall. The protection you are
crediting to the NATs is given by any stateful firewall, but XP
changing the default had more of an impact more than NATs ever could.

These pre-XPsp2 windows users who don't have a firewall on by default
and have the insecure services you are worrying about also dont have
an IPv6 stack, so will be stuck behind the v4 NATs anyway. The devices
that will be getting publically routable IPv6 addresses are Windows
vista and later, Linux, and OSX, none of which need an external
stateful firewall in front of them to be safely plugged in to the
internet.

- Mike



More information about the AusNOG mailing list