There are many ways of screwing up a users computer for nefarious uses - honey potting them with pop-ups on dodgy websites that install mirc botnets, the user opening the email with britneynaked.jpg.bat as the attachment, distrbuting autorun.inf files on usb keys (I beleive a security assessment firm contracted by a British bank scattered 100 usb flash drives in the vicinity of the bank's head office at lunch with an autorun file to report back when bank employees plugged them into their workstations out of curiousity - a high percentage did)
The main threats that using NAT removes are the outside influences caused by a direct incoming connection - remember Windows Messenger pop-ups (winpopup?) advising the user to go to a certain website to clear spyware? Or a Windows 98 machine simultaneously dialled up to the Internet through a modem and connected to a LAN - File & Print Sharing switched on? AT least when the user is behind a NAT - any pings to port 139 are ignored unless the user specifically allows such activity which indicates a level of technical knowledge such that they can secure their machines adequetly.
I must confess only an beginner's knowledge of iptables coming as I do from a Windows background but from what I can see - this configuration would need to be replicated on each workstation - grand if you image each harddisk - but would it not be easier to set this rule at the gateway that provides NAT? What if you want to allow a certain port - for example the company relaxes restrictions on MSN Messenger usage (Gaim on Linux I suppose) - the admin must either go to each machine or re-image each workstation - quite tedious.
Not really the main thrust of my point - but how are these addresses allocated - a DHCP process by the ISP?
Often times - NAT is a security feature in networks - keep the bad guys out; disable USB ports, remove floppies etc - and lock down the introduction of foreign code to a system (Virii, spyware, malware...) - an analagy is once you get into the building - its all yours where you go.
IPv6 would require a complete rethink of this security structure - each device connected to the Internet would have to able to fend for itself - the analagy being the front door of the building is open to all - but you need a key for each room.
IPv4 can be viewed as an incubator for IT security, ahead of IPv6 which throws the device out intot he world - a bold move by Microsoft who seem to push the concept of IPv6..!
Slashdot Mirror
There are many ways of screwing up a users computer for nefarious uses - honey potting them with pop-ups on dodgy websites that install mirc botnets, the user opening the email with britneynaked.jpg.bat as the attachment, distrbuting autorun.inf files on usb keys (I beleive a security assessment firm contracted by a British bank scattered 100 usb flash drives in the vicinity of the bank's head office at lunch with an autorun file to report back when bank employees plugged them into their workstations out of curiousity - a high percentage did)
The main threats that using NAT removes are the outside influences caused by a direct incoming connection - remember Windows Messenger pop-ups (winpopup?) advising the user to go to a certain website to clear spyware? Or a Windows 98 machine simultaneously dialled up to the Internet through a modem and connected to a LAN - File & Print Sharing switched on? AT least when the user is behind a NAT - any pings to port 139 are ignored unless the user specifically allows such activity which indicates a level of technical knowledge such that they can secure their machines adequetly.
I must confess only an beginner's knowledge of iptables coming as I do from a Windows background but from what I can see - this configuration would need to be replicated on each workstation - grand if you image each harddisk - but would it not be easier to set this rule at the gateway that provides NAT? What if you want to allow a certain port - for example the company relaxes restrictions on MSN Messenger usage (Gaim on Linux I suppose) - the admin must either go to each machine or re-image each workstation - quite tedious.
Not really the main thrust of my point - but how are these addresses allocated - a DHCP process by the ISP?
Often times - NAT is a security feature in networks - keep the bad guys out; disable USB ports, remove floppies etc - and lock down the introduction of foreign code to a system (Virii, spyware, malware...) - an analagy is once you get into the building - its all yours where you go. IPv6 would require a complete rethink of this security structure - each device connected to the Internet would have to able to fend for itself - the analagy being the front door of the building is open to all - but you need a key for each room. IPv4 can be viewed as an incubator for IT security, ahead of IPv6 which throws the device out intot he world - a bold move by Microsoft who seem to push the concept of IPv6..!