Back to Top

Friday, February 23, 2007

Distinguishing real and non-real security measures

This post was prompted by a post at Andy's blog, where he complains about the lack of NAT's and firewalls in cable modems. My opinion about it: NATs are not a security measure. VPNs aren't either. And IPv6 isn't inherently insecure just because it has the potential to give end-to-end connectivity to all hosts. These technologies are considered security products because they provide a little bit of security by obscurity. For example if you are behind a NAT many traditional backdoors, which rely on opening a port and listening there for a connection from the master, will fail. But then again, all the bots which use IRC will work without problems, all the spyware which uses HTTP or HTTPS to send out the harvested information will work, etc. I admit that I was a little scared when I connected my parents computer to the Internet directly, whit a real IP using a cable modem. But then I thought about it: is my el-cheapo router running some ancient version of the Linux kernel more secure? At least on my parents box I know that I turned automatic updates on, but I really don't have any easy way to update my router! If you wish to secure your clients by not allowing inbound connections, just put a firewall rule on your router. But I bet you that the clients will be very unhappy when their BitTorrent speed drops dramatically because of this :-D. And when you worry that IPv6 exposes all of your hosts to attacks: again, just put a firewall rule which drops all inbound TCP connections.

As a side-note: one thing I support whole-heartedly is IPSs filtering outbound STMP connections. Can we have a little more of that, please! And if you worry that some of your clients may need it, create a webpage for them, where they can add the servers they wish to connect to using SMTP. No authentication needed for the page, just make sure that it's accessible only from your clients IP range and somebody coming from a given IP can set the rules only for that IP. Of course a CAPTCHA is also advisable, because otherwise the IP can be easily white-listed just by embedding a specially crafted HTML in one of the pages you view. So, ISPs, please filter port 25!


  1. I agree NAT is not a security solution, but it is better than having your PC exposed to every hacker on the internet. I don't know anyone who would recommend putting your PC directly on the internet even with AV, a personal firewall and other "end point" security solutions. NAT isn't the answer, but it helps get you there.

  2. If you wouldn't recommend putting a PC directly on the network, why do you recommend putting a box (the router) on the Internet directly when it most probably has an ancient version of Linux with no obvious way to update it? At least Windows has Windows Update. And there always exists the problem of dangerous default settings.