Slashdot Mirror
Obsession With Firewalls Could Hinder IPv6
DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."
Response: 'Obsession'?! I don't know what you're talking about.
*request identified as critical of host*
*request forwarded to port 6666*
*incoming request on port 6666, port reserved for criticism*
Response: Maybe I'm not the problem, maybe IPv6 is the problem? Shouldn't a solution to a problematic situation meet the needs of said situation, not the other way around?
*incoming request passed through network firewall, computer hardware firewall and finally rejected by software firewall, request complete*
--
Come on, this is like intercourse, sometimes girls/requests just require double or even triple bagging, the last thing you want is a virus. Some girls are regular port scanners ifyaknowwhatImean
My work here is dung.
So, they're saying the way to get security in IPv6 is to throw away the whole concept of firewalls and hope that the protocol won't leave us with out collective bums hanging out in the wind??
I can't see a widespread adoption of a protocol that wants to get rid of firewalls. Now, I guess it's entirely possible that the IPv6 would secure networks since I'm not really up to speed on it's details. But I'm going to need an awful lot of convincing before I put any machines onto a network without something physically between me and it.
Unless IPv6 is very different, the only way I'm going to be able to set up my own personal network (and secure it) is with NAT. I'll take 'hard to diagnose' over pwn3d any day.
This just sounds so wrong.
Cheers
Lost at C:>. Found at C.
"Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."
/64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm
Sigh.
This is a non-issue.
What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a
There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.
However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.
Yippee! I love NAT!
I still want IPv6, but I really do love my NAT. It is like loving microsoft...I like products that generate their own tech support.
"Only one thing, is impossible for god: to find any sense in any copyright law on the planet." Mark Twain
The issue isn't NAT. We're not talking about using NAT. You're so far behind the curve that you aren't even visible over the horizon any more. The issue is that many protocols today are based on more than just opening a single outgoing TCP connection, or just spraying some UDP. They require connections on multiple ports and often to a variety of hosts. If there is a single firewall it must dynamically configure firewall rules for these applications or they don't work properly. You have to have a single firewall for security; you can't just have incoming traffic on your corporate net without a firewall. For people with a small home network and just a couple of machines you could use just the firewalling on your system (especially if your system is *BSD or Linux.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I hereby announce I am giving up my obsession with firewalls and reverting to my earlier obsession with Halle Berry.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
You can have a firewall that does not use NAT. Both sides are publicly addressable but there is still a security device between you and the outside world.
"I use a Mac because I'm just better than you are."
Linux has already gone down this path - the old IP connection tracking code in the Linux iptables packet filter has already been reworked into a more general layer-3 connection tracking mechanism, with separate 'drivers' for tracking the IPv4 and IPv6 protocols and separate 'plugins' that can handle specialized protocols (FTP, IRC, H.323, PPTP and so on).
I suspect that commercial firewalls will probably follow suit.
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
Is it a good idea to expect that whenever and wherever a mobile computing device connects to a network, there will be a properly configured firewall ready to protect it, or should computers and other networked devices be able to function securely without an external firewall to protect them?
Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations.
A firewall is roughly equivalent to a plaster on an open wound - it serves a useful purpose, but nobody should expect to walk around with an open wound on a long term basis.
There is little if anything that a firewall can do that an operating system can't.
SURELY NOT!!!!!
I would say I personally am not obsessed with firewalls per se, I'm obsessed with privacy and security.
The firmware on a firewall also has a much smaller amount of code to debug in order to make sure that it will function properly all the time. I would never assume that my Windows XP machine was properly patched with enough confidence to plug it straight into a cable modem all the time.
I am also not interested in having each computer in my home being identified and tracked individually, and I don't pirate software or download music. As such, even if the need for NAT is removed, I would still be highly interested in purchasing a device to block incoming connections and mask my IP address (maybe by swapping with other devices within my home on certain connections).
It seems strange that people are arguing about getting rid of NAT devices and having unique IPs for every device without bringing up the privacy implications. It seems that having unique addresses for every device is a small step away from being able to track and monitor every device on the net. Without the ability to proxy or perform NAT services, every device would be exposed to the net, and would leave a reliable trail of activity. It seems that this would encourage governments to think that they can control and enforce the web, and deal a pretty strong blow to the level of anonymity granted by the current network topology. I just hope that if this does come to pass, that there will be solutions to mitigate this risk, to help obfuscate individual activity on the net. This hazard to troubleshooting network issues, as described in the summary, might be an important factor in ensuring privacy and a certain degree of anonymity on the web.
"I like systems, their application excepted", George Sand (French)
"Putting a firewall on the system it is meant to protect is like wearing a bulletproof vest on the inside." -- I can't remember.
Since we have the attention of the IPv6 crowd, everyone should add this record to your forward zones:
aacs IN AAAA 09f9:1102:9d74:e35b:d841:56c5:6356:88c0
-CR
"So is the BSD licence even more 'free' (than GPLv2)? Yes. Unquestionably." --Linus Torvalds (TinyURL.com/2vugzl)
The more things change the more they stay the same. The human race is suffering from new forms of the same problems it has had for thousands of years, you can't expect communication protocols to do too much better.
Haiku for you!
I find that the obsession with Firewalls is a Windows phenomenon. If you have a pure Linux or Unix shop, you can get buy with some ACLs on your routers. People with Windows shops seem to be migrating to a Port 80/443 only world, which is sad, really.
I don't agree that it's true. It's just not a complete step. The outside firewall prevents attacks that exploit the network or filtering code, in cases in which the traffic is not permitted to reach the host. But if there is even one port that goes through, then such an attack is viable and firewalling separately has bought you nothing.
The most important means of protecting the system is to close off unnecessary ports by not attaching to the interface in the first place. Less surface means less chance for vulnerabilities. If you're not doing certain things then certain daemons can listen only on lo and not on an eth.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Moan and groan about firewalls and "what is the point?" but I'll tell you what... Vista now ships with IPv6 enabled by default! All that is left is getting my DSL connection, upstream, and the rest of the internet to speak it and I'll be golden.
But seriously, I used to think IPv6 would never catch on, but in a few years maybe 65-85% of the world will be running an operating system that has it on by default. Hard to argue with that!
You can have a firewall without using NAT. Being able to assign every device a routable address means that you can implement a stateless firewall instead of a stateful firewall. For most purposes, a simple firewall that filtered incomming TCP connection requests and UDP packets on all ports except those specifically allowed would suffice. This has the advantage that the firewall wouldn't need to track the state of TCP connections, and would eliminate problems like firewalls deciding a connection has been idle too long and closing it.
For the home user, being able to assign a routable IP to every PC has other advantages. Do you have multiple PCs with Remote Desktop running that you want to access remotely? NAT makes this difficult since all the PCs share the same IP address and need to listen for connection requests on the same port. Assigning every machine a routable address makes this problem go away. Don't like that example? The same applies to a web server, or SIP phone, or Bittorrent, or a myriad of other applications.
This seems to be the kindergarten introduction to firewalls, written by someone who is feeling around in the dark, and doesn't really know what he's talking about...
So what's the point of the pages full of irrelevant details about how Vista and ZoneAlarm works?
Stateful firewalls require you to explicitly allow incoming connections certain ports, even with IPv6. That's it. Nothing else there.
What he completely misses is that this is worlds better than NAT, which also requires assigning a unique port on the single IP address... You're screwed if you want more than one machine to access the same service, which doesn't allow you to use a non-default port.
Want two web servers running (on port 80)? Want two machines to be able to receive VoIP calls? Want multiple machines to be able to play some online game? Too bad. It's only with the multiple addresses IPv6 offers that it's really possible.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
maybe I'm missing something here as I admit I'm not fully aware of the low level details of network implementation
but wouldn't it be possible to still have a Firewall but without a NAT?
i.e. instead of devices pretending to be just the one IP address that's been assigned to the router via NAT, they instead each have they're own addresses
However all communication still physically goes through the router / firewall / same device to filter out any incoming dodgy packets via SPI, or put limits on incoming communications (port filtering for given IP ranges for internal devices) to make sure that access is only granted when requested instead of by default
I know you must be trolling, since configuring IPv6 is mostly identical to setting up IPv4. Type an address, a prefix length, and a gateway and go. What's so tricky about that?
Dewey, what part of this looks like authorities should be involved?
Pfft. Thats like complaining that no one should buy 2x4s because you like making them yourself with glue and toothpicks. The goal of a network is to get stuff done, not to demonstrate the size of your cock to your networking geek friends.
For a lot of settings (Corporate,home etc.) allowing random access into your network doesn't serve any purposes. If you need to provide services you can serve them through the firewall or you can make a DMZ outside the firewall but there is no need to allow random access to your network.
That being said I totally agree that OS's need to be more secure but thats just part of the equation to proper network security.
This isn't about NAT, it's about firewalling (blocking ports). You can have a firewall without NAT, but apparently allowing firewalls allows NAT too. Since NAT is bad design, and as you say unnecessary, we'd like to disallow it at the protocol level. However if you do that, you can't have a firewall which is a problem for some people. IMO, firewalls are bad design too. Close the ports you don't need, and use ACLs to limit access to the ports you do.
Give me Classic Slashdot or give me death!
To nitpick a router that blocks traffic is acting as a firewall.
Firewalls also almost always act as routers.
A router using ACLs also needs to be aware or session state in most cases.
"Firewall" products tend to offer more advanced features such as central policies, logging, advanced log filtering, alerting, etc.. Its not just windows users that want these features.
This isn't about NAT, it's about firewalling (blocking ports). You can have a firewall without NAT, but apparently allowing firewalls allows NAT too. Since NAT is bad design, and as you say unnecessary, we'd like to disallow it at the protocol level. However if you do that, you can't have a firewall which is a problem for some people. IMO, firewalls are bad design too. Close the ports you don't need, and use ACLs to limit access to the ports you do.
Sort of. By definition, a stateful firewall probably has the capability of performing NAT, but there's no reason why you'd want to, if you have enough external addresses for everything on your network.
I don't think that NAT is "disallowed at the protocol level," as much as just rendered unnecessary. You could still build an IPv6 NAT box, if you really wanted to, but it would be a bit stupid. It's like building a box that hides two Ethernet cards behind one MAC address -- sure, you could do it, but since they both already have unique identifiers, why would you want to? There's no shortage. (Okay, that may not be the best comparison in the world, but you get the idea.)
NAT is driven by a shortage of routable IP addresses. With v6, there's no longer a shortage. However, people are still going to want the security offered by stateful firewalls (NAT, in its most trivial 1:1 implementations, doesn't offer any security -- it's all in the firewall anyway), which if configured incorrectly or overzealously, could create almost as many problems themselves as NAT does currently.
However, I still think that IPv6 is a big improvement. Why? Because with v6, you have the option of not using the stateful firewall, on devices that are hindered by it, while still retaining the ability to use one and mimic IPv4 security behavior. With IPv4, unless you are wealthy enough to afford a static IP for everything in your house, you don't even have the option of exposing more than one device (per port) to the public Internet.
To me, this demonstrates that there's really no downside (besides the obvious implementation cost) to IPv6. People who just want nothing to change, can basically have nothing change. Their IPv6+Firewall network will behave just like an IPv4 one, but people who want to use the capabilities of IPv6 (for example, VoIP using SIP) will be able to, by reconfiguring their firewalls to be a bit smarter about incoming traffic.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The media -- and the consumer anti-virus manufacturers -- feed our "obsession with firewalls," and I see it every day in the home-user world.
Computers sitting behind a NAT router, which is pretty much all the firewall most machines need, come factory-loaded with Norton Internet Security or McAfee Security Center. This makes it nearly impossible for the average home user to share files and printers, and (especially with Norton) makes it very likely that they will answer some of the hundreds of pop-up questions wrong and break something they want:
"MSIMN.exe is trying to access the Internet!
What do you want to do:
1. Permanently block it?
2. Dial 911?
3. Buy even more Norton crapware?
I try to explain to my customers that they want a hardware firewall (the router) and don't really need a software firewall other than the one-way jobbie that ships inside Windoze.
OTOH, one customer this morning still has an XP SP1 machine plugged directly into her cable modem... guess what happened to her machine?
Oh, well, I get paid to fix these kind of problems, so I guess I don't mind. God forbid they ever get it right!
``Running out of IP numbers'' is like ``running out of oil'': it'll happen, but crying wolf didn't help the cause. It's claimed IPv6 is Big In Japan but, like popular beat combos, that means ``dead elsewhere''. And I"m sit in a hotel room in Tokyo happily IPv6-free, and i've just come from a building owned by one of the largest IT companies in Japan which was entirely IPv4.
IPv6 has been ``next year'' for the last ten years. It's still no-where. What'sdriving it now that wasn't driving it five years ago?
ian
NAT, in its most trivial 1:1 implementations, doesn't offer any security
When people talk about using NAT, 99% of the time they don't mean a 1:1 NAT, but a NAPT as found in home routers and configurable in many midsize routers and PC operating systems.
Such a NAPT does offer security because it disallows all uninvited incoming connections and thus shields "services" running on systems inside of the NAPT from access from the Internet.
They should have used IPv5 as a practice round to get all the bugs out...
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
Software firewalls are a non-sequitor in my opinion. It's really an added layer of obscurity.
If someone installs a firewall and say "please block port 123" I can't help but ask "Why did you open port 123 in the first place, then build a wall in front of it?" The fact that these firewalls exist just shows how stupidly the operating-systems UI is that it is so complicated to determine what apps are listening on the network, and what apps aren't.
Blocking outgoing apps is a completely different issue, and software firewall might make sense for that, if you don't trust the applications on your machine (which is a sad state of affairs anyway)
A protocol that requires a firewall to be stateful just to allow it to pass, I would call broken. And yes, I have for years called FTP a broken protocol (acknowledging that this observation is hindsight). I'm not talking about statefulness for NAT purposes, but rather, statefulness to track permissions on related communications (e.g. the DATA connection in FTP). FTP was designed in the day when no one expected blocking of arbitrary ports. But this is something we will be doing apparently forever.
Let's fix the broken protocols and move forward. While we can use HTTP for many file transfer needs, a new protocol that conducts everything over a single TCP connection or a single SCTP session is where we need to go. Then a firewall can be simple in operation and probably more secure as a result.
now we need to go OSS in diesel cars
The problem with NAT and firewalling, both, is that they're broken by design. They're attempts to add features to the protocol/application/OS layer that are implemented at the network layer. It doesn't have the necessary information to do the job properly! So we end up with godawful mostly-kinda-works klugdes like timeouts on idle TCP connections, etc....
I spend a fair bit of time tracing down network-related application issues, and let me tell you, NAT and firewalling are the work of the devil. Look, I'm all for a Linksys in front of your home Windows box, but please please, can't we kill this nonsense off once and for all?
No?
(pounds head on desk)
Now, that's just stupid.
Think about it - your firewall is usually a different machine than the one the, er, less than technically savvy users, are using to run their applications on. Say one of them gets a virus or trojan that is able to exploit a hole and create a hole in the local firewall. *poof* you are toast.
With an external firewall box, you have limited your exposure, since that trojan more than likely is not going to break into that box from the outside, or even the inside, should it get in. So, it *still* can't get out to the network.
It's called "don't put all your eggs in one basket." Think a little next time...
Whoa whoa, don't push the guy! He's still struggling with English, let alone computers.
When people talk about using NAT, 99% of the time they don't mean a 1:1 NAT, but a NAPT as found in home routers and configurable in many midsize routers and PC operating systems.
Such a NAPT does offer security because it disallows all uninvited incoming connections and thus shields "services" running on systems inside of the NAPT from access from the Internet.
Sure. But what they're really describing isn't NAT, but rather the stateful firewall that's inherent in all non-trivial implementations of NAT.
Since you can take just the stateful firewall part, and use it with IPv6, there's no security disadvantage there. All you lose is the kludgy NAT parts, and in trade you gain the ability to do much more complex and useful routing -- creating various subnets with different security levels, etc. It's nothing that hasn't been going on with big corporate networks for years (those companies that have Class A blocks and can afford to give every workstation a 'real' IP still have firewalls and security policies), but now home users can have the same flexibility, if they want it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Sorry to rain on that parrade, but the (variants of) "IPv6 is secure because it's a 64 bit space and noone will ever guess your address" sound... surrealistic. It's security by obscurity of the worst kind. The kind that can't possibly work.
We live in an age where far larger combinations of bits -- e.g., email addresses or name/password combinations -- are sniffed, phished, compiled into lists and sold, etc. What on Earth makes people think that a fixed IPv6 address would be more secure? No, honestly, what's so special about an 8 byte IPv6 address that makes it un-sniffable?
The notion that your machine is only findable by raw brute-force scanning is pretty laughable. Yes, it's one of the easiest and most non-brainer methods, but it's not the only one.
As a counter-example, look at how email viruses work. Because they _do_ work without scanning and without looking for you speciffically. They just go through more hops, each hop sending itself further to everyone in your address book.
Guess what? The exact same can be trivially adapted to an IPv6 worm. Each pwned machine just continuously looks for incoming and outgoing connections, and tries to spread to those too.
Or how about lists of static addresses, the same as the lists of email addresses that spammers buy and sell. Only unlike email addresses, if you're unfirewalled, you can't keep yours secret. You _have_ to tell each visited site your address every time you connect to it, so it knows where to send the response packets.
So basically it's the setup for the easiest kind of phishing imaginable. It's like automatically giving your email address to every site you ever visited, except this time it's your IPv6 address. Someone just has to create or pwn a popular site, and just record all the IP's that connect to it. Voila, that's a nice list to sell to the hackers. No more brute force scanning needed.
We already have major corporations whose computers are spam bots. What makes you think none will host IP recording bots? How do you know none of the ecommerce sites or forums you visit could be pwned to record all those static IPv6 addresses?
Or it just takes one bored intern working at a major ISP to run a sniffer and get a huge list of all static IPv6 addresses that sent or received anything through their pipe. Remember, idiots exist everywhere. One guy sold the whole list of AOL addresses to spammers, for example. So are you _sure_ noone will sell the list of allocated/known IPv6 addresses?
And since it's static addresses (after all, the whole idea is to get rid of NAT, right? No more dynamic addresses and remapping, right?), you know that each address logged will be available for a long long time thereafter.
Basically let's stop using the whole "we're secure by obscurity" concept to rest already. If there are other security mechanisms in place, fine, I want to hear about them. But "noone will find your IPv6 address" is _not_ security. If you want to talk security, you start from the most paranoid scenarios imaginable, not from wishful thinking.
A polar bear is a cartesian bear after a coordinate transform.
If you take the firewall out of the equation, there is still one bit of evil left with NAT - applications that may want to set up and announce a listening port don't know what the correct IP address is. Often times they have to resort to bizarre workarounds, like asking a known external service what their own address is. Very byzantine. If nothing else, moving to IPv6 removes that headache. And if you have two machines behind a 1:n NAT that want to open up port 80, you're hosed. Without NAT, that's not a problem anymore. You'll have to tell your firewall that connections to port 80 on those machines are OK, but that's nothing more than what you would have had to do to your NAT box anyway (except that one of them would have to be port 81 or 8080 or some such nonsense).
I can't wait for the home networking routers that are so popular to implement 6to4. There's no reason they can't do that right now. Even if it were off by default, having it there would give people more options at little or no cost to the manufacturers. All of the major OSes out there shipping today support IPv6 natively.
What'sdriving it now that wasn't driving it five years ago?
SIP.
Right now, most people haven't run into it, but there's no easy way to have multiple SIP VoIP "lines"* into your house, when you only have one IP address.
* I mean "lines" in the POTS sense, of independent full-duplex telephone circuits, each with their own numbers. And yeah, I know you can get this if you use protocols other than SIP, but they have their own problems.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Still doesn't mean I wouldn't want a NAT to offer a centralized location to manage my network. Right now I've got a NAT router forwarding most ports on my IP to my Mac Mini server (which has its own firewall), and a few gaming ports to my Powerbook. Managing a firewall in a single location would be a lot easier than managing a firewall on multiple devices.
And how will IPv6 affect broadband? Right now I'm only allowed one dynamic IP. Would all broadband providers be forced to monitor individual IPs across their network?
I'm in the hole of the broadband donut.
If tis is true, we may not need NAT each device be it a computer, Wii, or Tivo could have it's own dedicated IP.
That works great - As long as your ISP gives you as many addresses as you want, and for free. Oh yeah, and that you trust every machine out there that wants to connect to you.
In theory, IPv6 exists in the first place to eliminat that as a problem - Everyone can have thousands of addresses, with no risk of ever running out (strange, did the echo of that come back "640k...40k...k"?)
However, given the greedy nature of most broadband providers, they almost certainly will artificially re-create the same problem, either by limiting addresses or charging on a per-address basis. And the second they start pulling that crap, we'll see NAT suddenly mature for IPv6.
You might want to read this document from the IETF regarding privacy and IPv6. Ensuring privacy, or at least not eliminating it, was a major concern of theirs during the design of v6, and I think you'll find that your privacy is protected just as well or better than it is under IPv4 (which is to say, not really all that well, but if it gives you a warm fuzzy feeling to think so, enjoy).
http://playground.sun.com/ipv6/specs/ipv6-address
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The problems don't come from having NAT or a stateful firewall, but from using poorly designed protocols. There is hardly a justification for using more than one TCP or UDP port, or dynamically assigned destination ports.
For example, compare IPSec with OpenVPN: the former requires various UDP ports plus a completely new IP protocol, while the latter runs over a single UDP port. Now guess which one is much easier to get through a firewall.
OS Reviews: Free and Open Source Software
[i]"In theory, IPv6 exists in the first place to eliminat that as a problem - Everyone can have thousands of addresses, with no risk of ever running out (strange, did the echo of that come back "640k...40k...k"?)"[/i]
Actually, with ipv6 a home user would have over 18 Quintillion addresses.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
In todays world its not safe to connect to the outside world without one. I dont see 'safety' being an 'obsession'.
Especially when 1/2 our house is run on an internal IP network. i DONT want someone managing to turn off my heat or something..
---- Booth was a patriot ----
I'll probably get flamed big time for this but it's my opinion that the application and OS Vendors have done a great job in fooling the world for a LONG time. Basically they've weaved a magic spell that has convinced the world that managing security is primarily the job of the network (hence network security).
Problem is, for the most part the network is not insecure (sans router vulnerabilities). The networks do what they are supposed to do, transmit packets. The security problem is with each HOST on the network. The OS and application vendors have convinced us that your first line of defense is the network firewall which for a LONG time has let them off of the hook.
If the OS's and applications were reasonably secure, the need for a firewall and/or NAT device would be MUCH less. Firewalls cause problems with applications. The only reason we use them now is because the security risk at the HOST level is SO high nobody can risk leaving these systems on the network.
Because of stuff like EULA's nobody is able to hold the OS vendors and application developers accountable for shipping products that are insecure.
I should not have to build a mote around my castle because I can't buy castle walls or doors that are reasonably effective.
Well, for one, an administrative account may set up firewalling rules on a box to overrule attempts made by a normal account to open listening sockets (mitigate a number of attacks that rely on users running exploitable network apps or certain opportunistic attacks that listen for a queue to give a third party access). Performing a function along the lines of 'chown' for ports. The way many applications are written, unfortunately, implementing a more obviously chmod-like facility for ports in which the process impacted is made aware of the other layers policy, many existing applications would break.
A good example could be synergy. Let's say I'm a user interested in the program. I'm semi-lazy so I like the quicksynergy front end. If you ever use synergy, you know that it doesn't in and of itself bother with meaningful authentication or encryption. Also, while the daemon itself supports being explicit in terms of which IP interfaces to bind to, the quicksynergy frontend does not expose the relevant configuration options. So while I know how to make use of ssh to port forward and authenticate for me, out of the box I still may leave synergy hanging out accepting any connections on the IP network. Considering synergy could effectively be a means to do keylogging (if user accidently moves mouse to wrong place for example), this is highly dangerous. Now, my distribution being fairly restrictive had placed hard and fast firewall rules in place to only allow blessed applications access in, except on lo. If I wanted to shoot myself in the foot with synergy, I'd now have to jump through some hoops and hopefully in the process learn why it's a bad idea. There probably exist poorly designed but useful network daemons that don't even allow interface-specific binding, in which case firewall rules bridge the gap. You can't always shut down a process that does foolish things in terms of listening on sockets you don't like without configurability to get around it, sometimes you need that process to run and the network to be denied by a layer the process can't mess with and even is unable to absolutely confirm exists.
Yes, well-written applications should not do inappropriate things with listening sockets without the ability to lock it down. However, the world is full of not-so-well-written applications. The key is letting those apps think they are doing what they want with the firewall ruleset under the covers establishing the reality in ways the application cannot see or change. Good frontends for 99% of usage out there exist (OSX I believe makes it obvious when enabling a service it is also futzing some firewall rule to complement that, so it is intrinsically linked in the dialog most anyone will deal with).
This is one aspect where I disagree with Ubuntu philosophy. Ubuntu philosophy is along your lines (don't bother with iptables rules by default, they just get in the way and the user knows what they are doing). This seems incongruous with the whole mission of linux for the masses that Ubuntu is about.
XML is like violence. If it doesn't solve the problem, use more.
Services that require secondary/back-connections are not all that common. FTP is obviously the most common but even $40 firewalls can handle it. BT doesn't count since it uses well known ports (i.e. no negotiation of which ephemeral ports to leverage). The firewalls that are present in environments which use RPC are more than capable of intercepting portmapper requests and opening ports.
That's like saying "My car can RUN on diesel because I can put a can of it in the trunk."
I will tell you what: if what you say is true, then you should be able to retrieve the front page of Slashdot using HTTP over TCP using IP6 headers rather than IP4 headers. Why don't you give it a try, watching with your favorite packet logger, and post the results.
Yes, IF:
THEN you might be able to do IP6 from your IP4 address to Slashdot's IP4 address.
BUT if ANY step in the way cannot handle IP6 datagrams — even a step as lowly as the cheap router your ISP gave you, or the cable modem head end unit, or
www.eFax.com are spammers
I said "no easy way," not that it's completely impossible. You can do it, but traversing multiple SIP connections over NAT with a single public-facing IP address is almost stupidly complex and/or requires specialized SIP-aware NAT hardware, and it's far beyond what most people are capable of doing, just for the static case. I don't even want to think about the case of roaming wireless SIP clients, which is really the goal.
IPv4 is going to die, and NAT along with it, it's just going to take a very, very long time. The main problem with IPv6 has nothing to do with its core functionality, the problem is that it had a serious case of featureitis (e.g. IPSec); if the IETF cut out the crap and just let people implement the long addresses without the rest of the stuff better left to the application layer, it would probably get implemented a lot faster.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Most likely the cable providers will start charging per IP, and most of us using routers with NAT will still use routers with NAT.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
I think this analogy may, in fact, be true. However, a computer is not a human being. Putting a bullet proof shield right beneath the skin would provide protection against the things bullet proof vests normally protect against. We cannot engineer such a thing in a human, but we can in a computer. Also, let's not consider "the computer" as being the same thing as "the person." We can't just replace a brain like we can a kernel. A computer is a modular device of discrete components (hardware, various programs, etc) which is programmed to perform functions. Having a portion of it protect the rest is no crazier than having a person defend themselves against attack rather than depend exclusively on the police.
Logic ... merely enables one to be wrong with authority. -- Doctor Who
A human is a modular device of discrete components (organs) which have evolved to perform functions.
Oh sure, exchanging components in humans isn't all that easy. But it can be done.
I think it's a silly analogy because if you configure it in a certain way the firewall makes the attack surface invisible - you can't tell which ports on the system have things bound to them, because if you don't pass the firewall rules, the firewall doesn't tell you that you're not permitted to connect, it just tells you to fuck off, behaving as if that port were not just denied, but unopened.
Something under your skin doesn't hide your orifices :) and thus it's a ridiculous analogy, like most.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm sure no one is reading at this point, but NAT is an awesome thing. I demand the ability to run a private, non-routable-by-design network that can still cooperate with the outside world. It's been said here lots, but let's run down the advantages:
- you point of view, this is a really good thing. With world-routable addresses for everyone all one would need do is remove the barrier. Poof! Instant access. Now our unique addresses aren't such a good idea.
1) Ease of use. NAT's 'firewall' features are on by default. My mom has a firewall, because she has NAT. Zero extra config required. Show me that on IPV6 and we'll talk.
2) EASE OF USE!!! When my brother brings his lappy over, do all the routers in the world need to now know that he's behind a different hop? Why can't he just grab DHCP and be ready to roll, sharing one of my already-configured addresses? Enabling world-wide access to every internet ready device isn't practical when they readily can move around...
3) Privacy. Do I have one box behind my cable modem, or ten? Does my ISP really have a right to know? What about the RIAA? Should I now have to pay to reserve some extra IPV6 addresses in case I want to expand my network at some point? With honeyd or similar, I can make it look like I'm running 1000 boxes back there, and with NAT those addresses are at ZERO COST to anyone else.
4) Nullification of Point. Not every device in the world needs a unique address. In fact, it benefits us that most do not. Should someone interested in pin-pointing specific traffic behind NAT use a silver bullet against my firewall, they'd still need to know which internal address they're going after. Likewise they'd better not be using that same address space in their local routing table. The scenario is considerably more complex, and from a security/privacy/no-I-dont-feel-like-sharing-with
I'd like to join those suggesting what's likely to be the natural result of all this anyway:
IPV6 is for routers. Give my half-a-dozen addresses, let me bind them to the outside of my firewall, then I'll map them back via NAT to my IPV4 space. Everyone wins!!!
And to those discussing Virtual Machines needing IPV6, I say the opposite might be better. If you're splitting them behind a single interface anyway, why not NAT the addresses back at that point? Then the only 'attackable' services are those you've opened via NAT. The rest of the world would see one machine offering a host of services, when in reality you're running each of those services in a unique environment. If you need to overlap ports, THEN use another unique address.
Isn't this why most of us have jobs?
Today is red jello day - all workers must eat all of their red jello. Failure to comply will result in five demerits.
The difference between a router and a firewall is primarily the default intent:
router: do your darnedest to forward any traffic not specifically denied. A poorly configured ACL can leave you swinging in the breeze. Logging is usually off by default.
Fer instance: a ping sweep on a default setup will expose all hosts active and responding and log nothing about someone rattling your doorknobs.
Firewall: do your darnedest to block anything not specifically allowed. A poorly designed ACL is less likely to be unsafe. Logging of violations is usually enabled by default.
Fer instance: a ping sweep on a default setup should not reveal any hosts but should log the sweep attempt.
In a pinch, with some extra effort and understanding, you can configure a router to behave like a firewall and vice versa. You can use a screwdriver as a chisel too, it's just not the correct tool for the job, if you want consistent, professional job.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
We're going to aggree there very quickly. I have no problem with seeing it as an extra road bump. That's a sane and realistic attitude, and every bit helps, obviously.
However the argument does end up again and again being, basically: "if we were finally on IPv6 you could really give up all firewalling and defense, since you're impossible to find in all those gazillions of possible addresses anyway." Now probably no serious admin would think it's security, but somehow just that claim does seems to pop up on Slashdot every time IPv6 is mentioned. I've seen half a dozen messages to that effect in this thread alone, and that just skimming through it.
Now maybe they had something more along your assessment in mind, but any details were missing that would hint that way.
A polar bear is a cartesian bear after a coordinate transform.
First, stateful filtering is stateful filtering. Although NAT's have to be stateful in some way, they are not stateful filters by themselves as you correctly point out.
However, ipv6 has a major change which can cause massive headaches for firewall administrators: IPSec is now mandatory. IPSec provides two optional means of security: AH (which provides antitampering) and ESP (which provides encryption and antitampering). Neither of these were designed to pass through a NAT. The reason is not that NATs are bad design but rather that they break the end-to-end security that IPSec offers (i.e. any packet tampering invalidates the packet, and NATs by definition tamper with the packets).
Sounds all right so far, but with ESP, the entire payload is encrypted. This means that a party in the middle cannot evesdrop on the connection (including the TCP headers). You don't know what ports are involved. You just know what two computers are involved. If you try to use FTP over an ESP-protected connection, however, the firewall will not be able to determine the state of the data connection. Same with H.323 (though I for one welcome the death of any OSI-decended protocol). In fact H.323 would become essentially impossible to allow via ESP to arbitrary hosts without opening up the whole network because of how the control protocol works.
Hence you run into stateful filtering issues with ESP which are not possible to sort out. In practice, you have the choice of simply allowing ESP as a protocol or not allowing it, or possibly allowing it to a whitelisted set of end-points.
Oddly enough this was not discussed in the article, which seemed to spend way too much time confusing NAT and stateful filtering.
LedgerSMB: Open source Accounting/ERP
NATing firewalls serve two security purposes and several non security purposes.
The non-security purposes are to multiplex routable IPs so that we don't have to have a public address for each network capable device. That's critical in IPv4, but irrelevant for IPv6 in the forseable future.
The other is so that we can arbitrarily assign IPs to LAN devices (often with DHCP) and be happy. Auto-configuration in IPv6 renders that irrelevant as well.
Now to the security purposes. First and foremost, they provide a default condition where incoming connections are summarily blocked while outgoing are permitted (after NATing). UDP is often configured similarly so that an outbound UDP packet opens a hole for replys to come in through (also after NATing). There is absolutely nothing in IPv6 to prevent the same rules from being configured minus NAT. As a side benefit, without UDP NAT randomizing the port number, two machines behind different firewalls may request a hole by sending UDP packets out iff the firewall is configured to permit it.
The second purpose is to obscure the structure of the LAN behind the firewall including the number of machines on the LAN. It is notable that with IPv6 autoconfig it is entirely possible to find out how many devices are behind the firewall and who made the network devices.
The real question is how valuable is obscuring the addresses of the machines on the LAN and how strongly does NAT guard against leaking that information.
My guess is that NAT doesn't really do a lot there. If the firewall is well configured, most attacks behind it will be the result of users getting viruses and trojans from email and web browsing. A well crafted trojan can easily phone home using an outbound (permitted by NAT) connection and tell the attacker all about what's behind the firewall anyway. The trojan can then act as a socks proxy and allow the attacker to effectively have a machine inside the firewall anyway.
In short, there's no reason for NAT at all in IPv6. Any real security benefits to NAT are side effects of it's primary purpose and easily enough implemented properly as security rules to provide security. Network security SHOULD be a process of adding deliberate and considered rules to a firewall. It should NOT be an ill-considered side effect of solving an entirely different class of problem.
The real question is how much do those firewall rules spoil the idea of everything having a routable address. My opinion is not all that much. A firewall is simply a sort of rules server device that offloads filtering (ideally as a first line of defense backed up on the machine being protected) and centralizes policy, even in the face of mis-configured machines. Those rules would (hopefully) still be there without the firewall (who wants random people sshing or VNCing to their desktop machine), so the effect is more or less nil as far as routability goes. After all, even servers running without a firewall are often configured with hosts.(allow|deny).
Today, a standard firewall topology has public (routable) ip adresses on the outside (internet) and private addresses on the inside. The firewall does NAT between the networks. To allow outside access to an internal device, the firewall administrator must configure NAT mappings from public outside adresses and ports to inside addresses and ports, and firewall policies that allow the connections.
In an IPv6 environment, there will be public addresses on both outside and inside. The firewall will normally route packets (instead of doing NAT). Thus, the administrator only needs to configure the firewall policies. This can be done today if you have public IP adresses for your internal network. So it is noting new.
The IPv4 address limitation is partially driven by an address shortage, but it's also a way to limit bandwidth usage. Many ISPs still have written prohibitions against sharing the WAN connection among more than 1 or 2 computers. For a while there some big ISPs (cough, Verizon) even prohibited wireless access points or routers that were not rented from/provided by them.
NAT routers hide this multi-computer usage from the ISP, which is one reason they became so popular with consumers. They let people share the connection without paying a multi-computer fee. Today the no-sharing clauses are typically only exercised when an ISP see a ton of bandwidth usage it wants to cut off.
IPv6 or no, I think ISPs will continue to limit the address space available to their subscribers. It's a way to manage bandwidth, and it can be a money-maker--if someone wants a block of addresses, that's a value-add and it costs extra. It doesn't matter that there are a billion free addresses in the space. Because the end users still have to get them from an ISP, from the end user perspective the degree of scarcity will not necessarily change.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
If (and it's a really big if) the major providers ever support ipv6 it's odds on they'll give you *one* ipv6 address then charge for larger blocks, just like they do now. NAT will still be absolutely essential - that's why off the shelf cisco routers support NAT over ipv6 even now.
[quote]Also, let's not consider "the computer" as being the same thing as "the person." We can't just replace a brain like we can a kernel.[/quote] not exactly The brain can be replaced, knowledge data and skills can not be Staff turnover in some business' is enormous since you can replace people with other people. A business can sack a person and replace them. You can reinstall a computer and replace the kernel. it is difficult and timeconsuming to hire a new person with the exact knwoledge and data as the previous person it can be difficult and timeconsuming to restore a new kernel with the exact knwoledge and data as the previous kernel
Here is an example that needs NAT:
Say you wish to produce and deploy 1000,000 rather complex but otherwise identical systems that are mobile and can be moved around at will.
Example: Armoured cars, ATVs, Tanks, Aircraft, Helicopters, Ships, Boats, Submarines, Motor cars, Jeeps, Trucks...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The firewall required to do this isn't any less complex than a current NAT/stateful-firewall, but it provides several advantages. Rather than having only one externally-facing address for the entire LAN, and routing traffic based on the port or TCP connection, you can just route based on the IPv6 address, and create all sorts of (in)flexible rules based on how much trust you have in the destination device, which can include creating further subnets that are isolated from each other, for security purposes.
Interesting view. I've always considered using NAT and having only one external IP to be a huge advantage. If I have another machine/device (e.g. friend's laptop, new PDA, etc), I don't want it to be visible to the Internet.
I think most cable/DSL users (at home) have their computer connected directly to Internet, with *maybe* a software firewall (such as the one built-in to XP). If it is possible in any way for them to connect multiple devices (laptop, PDA, phone, desktop) into their adsl/cable modem without a firewall, *THEY WILL FIND A WAY*.
If IPV6 gives everyone their own block of ~256 addresses, then perhaps NAT routers could go off the market... Or what if DSL/Cable operators decide to charge a small fee for each IP address? (Not the high fees for IPV4 addresses, but something that might make that new PDA incur a small recurring or *monthly* charge)
Doesn't big business crave these tiny monthly fees that they can lure people into? All they would have to do is to integrate the IPV6 firewall into cable/adsl modem. This would have two advantages:
1) (Foolproof) Prevent users from connecting insecure devices directly to the Internet.
2) Open a new business plan where the internet operator can decide what devices/services the user can plug into the modem. (If NAT is dead, then most [unskilled] users will be stuck with this).
3) [disad] The Federal govt could assign IPs to each person or device. E.g. They would create a database of which user and which devices had which IPs.
Yes, the average slashdotter will find a way to do his own NAT. But if these devices leave the commercial market, the general public will be subject to the whims of the ISPs.
All NAT gives you is Network Adress Translation - the rest of the stuff talked about above is added extras on your combined modem/firewall/router. If you have your own subnet DHCP will still work, firewalling will still work and routing will still work even though there is no NAT at all. In a lot of cases it will even work the same way on the same device - it's just a matter of turning NAT off. The big hassle and sometimes advantage of NAT is incoming connections don't know where to go without port forwarding. However that's where a decent firewall rule setup comes in (all these devices can do it you know) and you only let stuff into your subnet that should be allowed in (the same should apply for outgoing). NAT is a hack for not having an address to route stuff to, all the other bits are the useful things.
The reasons I see for using them are 1) central control of network traffic, and 2) blocking the Internet background radiation. NAT is not required for firewalls. The real problem is that so many stupid firewalls block based on port, as if you can't tunnel through any port you can open. That component of firewalling was always stupid.
But imagine every household in China and in cities in India and Indonesia getting broadband, whether it's DSL or cable or radio-based. (The Internet's not just for old people in Korea, after all.) Even if they've only got one address per household, that's a few hundred million IP addresses. It's easy to blow out the remaining supply of IPv4 addresses.
The US government has also mandated that its new computer and software purchases support IPv6. Unlike the 1980s, when they tried that with the OSI protocol stacks (remember GOSIP and X.400?), IPv6 is close enough to usable that agencies will gradually start adopting it, which means that vendors will also be commercializing it. So it won't be just vendors checking the box on their proposals and agencies getting waivers to ignore the stuff, at least once their Microsoft Windows PCs are supporting it widely.
Microsoft has been working on IPv6 for a while. It's available in XP if you want to dig it out of the documentation and enable it, and Vista supposedly has more support for it, not that Vista deployment is really blasting off yet. We'll see.
Of course, until there's a fair bit of usable content on the web, it'll get largely ignored by the public, but eventually it'll stagger onto the field.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
In most Bittorent clients you can configure what ports they use. If you have admin rights on a firewall app/router then you configure that too. Network researchers have a problem with NAT because it does routing by changing and relying on certain values in upper layer protocols such as TCP and UDP. Firewalls don't necessarily do this so they are not frowned on the way NAT is.
All of this goes for IPv6. Yes, I'm sure that there's an Exchange implementation that runs on IPv6, with all the latest bits. Do you want to test it? What would the benefits be to your enterprise? Yes, I'm sure you could replace your current IPv4 backbone with one running IPv6? What benefits would it deliver to your enterprise? Yes, I'm sure there's a world of end users running IPv6 somewhere: but there's a world of people speaking Esperanto, too, just a very small one.
X.400 failed mostly because it required extra effort to deliver negative benefits: you can't talk to as many people as you can with SMTP. In what way is IPv6 different?
ian
I don't think I will ever trust any other appliance than my firewall to be directly accessible by anyone from anywhere. For me the point is moot, there will be NAT in my home simply because I see no reason to expose myself to potential problems. If I need to access my refrigator, I can get around my own firewall in various ways that require decent authentication.
But your other choice is to be insecure.
I mean, it's inconvenient to have to carry keys all the time, but the other alternative is to leave your house and care unlocked and, in the latter case, hotwired, so that anyone who walks up to it could just get in and drive off. (Yes, you could go with a different form of authentication besides a traditional key, but my point stands: authentication is inconvenient, but it improves security.)
NAT and firewalling create a certain amount of inconvenience, but they are well worth it for their security properties. They're not *nearly* as inconvenient as some of the other things you could do to compensate for not having them. Let's say, for instance, that you administer a network of fifty Windows desktops. You could put them all behind NAT and firewall, or you could hook them directly to the internet and individually manage all the incoming ports on each and every one of them individually. Which is more inconvenient? Or if you do neither, how much time would you have to spend recovering them from the security problems that would result? When you look at the alternatives, the firewall actually starts to sound *very* convenient.
Cut that out, or I will ship you to Norilsk in a box.
The problems that the article describes — FTP, IM file transfers, etc. — have exactly the same problems under NATless IPv4 stateful firewalls. The Internet hasn't fallen over yet, therefore the problem is overblown.
The solution in Linux has generally been application-specific kernel modules (ip_conntrack_ftp, ...) that tell the state engine (ip_conntrack) to expect related traffic. They might've finally added a user-mode interface since last time I looked, but that doesn't actually solve the problem since any user-mode program is still forced to sniff forwarded traffic for known applications.
The more elegant solution would be for each application to indicate a related connection in a way that all stateful firewalls along the route could understand. Sort of like UPnP, except UPnP only talks to a single local NAT, not every firewall along the route. However, this more elegant solution hasn't yet been invented, for IPv4 or IPv6.
Range Voting: preference intensity matters
You are, of course, absolutely right. The difference is that NAT provides these useful bits by default, as a matter of course. A pure Firewall Solution(tm) would most likely require someone with letters trailing their name to properly configure and deploy.
Huge difference.
Why push for such a change, unless there are more benefits than 'you only lose some of the upshots'?
"Type an address, a prefix length, and a gateway and go. What's so tricky about that?"
You ever tried to type in a three dozen IP6 address manually and then have to go back and find the typo? No , didn't think so. Idiot.
Whoa whoa, that was such a killer putdown (not) , trying to karma surf on the back of his comments. Aww , didn't work though did it?
You're manually configuring a network of about 40 computers and I'm the idiot. Irony, thy name is Viol8.
Dewey, what part of this looks like authorities should be involved?
No. You are using the name of a part to describe the whole - a device with NAT comes with other stuff but that is not what NAT means. It is a slightly more technical means of falling into the same trap as those folks that call the beige box that plugs into their screen a "hard drive" which makes life difficult when talking about these things.
"You're manually configuring a network of about 40 computers and I'm the idiot. Irony, thy name is Viol8."
Oh right , so you've never had issues like we've had with IP6 autoconfig but yet you know it all and I'm the troll?
You really are a twat arn't you. Still, that somes up a lot of people on here - A grade know-nothings.
That's kinda my whole point right there. A NAT router does include concepts that require all sorts of letter-scrambles and RFC's to properly cite. The end user, however, simply does not care. Nor should they ever need to.
Step outside of the language-police world for just a minute and understand that a beige box without a hard drive is broken to most users. The 'hard drive' is the most important part of the box, contains all their data, and determines (via housed drivers and software) how the entirety of the rest of the box will behave. It's also the most prone to failure. Calling a PC a hard drive is incorrect if you feel that you need to control the language of the conversation to have power over it. Let go of that control, and it isn't that bad of a word to use to describe the unit. Do I need a car analogy, cause I can whip one up real quick...
A NAT device without DHCP and simple port forwarding simply betrays the purpose. NAT is meant to share an IP and an effective device will do this readily.
So to correct your comment, I am using the commonly observed effect of properly providing that part to describe the whole. Which really shouldn't be a stretch, outside of argue-on-the-internet land.
We have hit the Barbarian vs Farmer argument here - where the barbarian rulers just want the farmers to provide as many goodies as they can and do not care how. When we hit the problem where it is not possible to convince someone that being correct is correct it makes it very difficult to communicate.
The O'Reilly crab book (about TCP/IP - I can not recall the title) defines things very well and is in many libraries if you do have a technical viewport.
So why is it important to not make up new and personal meanings for existing words? For example, I do not want some marketing Eloi to confuse me and say NAT is not working because they think the term is impressive (and want some of the silly converstaional "control" mentioned previously). I would prefer them to just tell me the black box that is almost entirely for other purposes is stuffed or what is indicating to them that something is wrong.
X.400 didn't have that advantage - a major entity announced that it was going to be using X.400 Real Soon Now, and you'd need to use it to be compatible with them when they got around to it, but if you really cared about that you could hack up Sendmail to translate to something your X.400 server would accept.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks