Yup.. but clock speed isn't what I'm talking about.
You might find the G4 1Ghz / OS X lets you multitask better, and get MORE work done than the 3.5Ghz P4.... and in that case, clock speed is irrelevant, right?
That is the REASON the VP has to FILE AHEAD if he wants to sell his shares.... it's to avoid insider trading charges.
It's not insider trading.. as long as he is trading on the same info as everyone else.. it's fine.
Pretend for a minute you are a SCO shareholder... just joe american shareholder... would you sell right now (let's say profit was involved?). Whta if you konw their claims are bullshit.. should you selling be illegal?
The traditional phone companies have the infrastructure, so VOIP means you are paying them anyway.
Yes, the tax structure needs to change.. however..
The whole idea of regional and local phone calls is going to change... it's an artifact of the old phone system. The phone numbering plan will change, everything will change... VOIP is just the first step in getting away from that, as it provides ineroperability with the old phone system.
We will have to get past the laws and antiquated rules regarding the absolute waste of resources the POTS system is, start a NEW system of data to every home and location, and a way to charge for it (or otherwise maintian it), and let voice service become just another data service with certain QoS constraints (in this case, low jitter)
So you mean that you have to hand over your driver's license to every merchant, and the only way around this is degaussing your card?
What about simply not giving it to them? I'm pretty sure if I was trying to pay for a pizza or something and the cash kid asked for my driver's license I'd say "No"
You mean for credit card purchase in Texas you have to provide a driver's license? Wow.. the rest of the world, you can just use your credit card....
I don't care if someone sees me out in public. I DO care if someone is following me around, and keeping a record of everything I do.
I ESPECIALLY care if that someone is my GOVERNMENT. I did not elect them to spy on my personal life.
So you would not object to filling out a form every time you left your house or retrned, indicating where you went, the time, what you were wearing, the speeds you drove, or walked, and what time you entered/exited form public view at all times?
I think we could all agree, especially with PUBLIC transit.. that tracking people for demographic purposes is actually helpful, and could help build a better system... but we coudl also agree that we don't want a few people in a position of power to just be able to punch a button and bring up everywhere we went on a daily basis.
That's their fault, regardless of MS or anyone else. IF they can't be bothered to keep their stuff up to date this late in the game, what good are they?
Hell, at least welchia will patch their systems for them...
The more I feel that, regardless of paperwork, or whatever agreements they signed... most of us consider the.com registry and, to a larger degree, the entire DNS system to be a large public trust at the top levels. It works because we all cooperate, and agree to use it... and ONLY because of that.
I think, though of course the devil is in the details, it's time that Verisign learned that it's power comes from us, only because we allow it.
Unless you have a good reason to have that crowbar there... like you are a construction worker, and your tools are in the back seat, and you are on the way home form work.
A crowbay kept at the ready to bash someone with qualifies as a weapon. A crowbar that just happens to be present without that intent, is not. The idea is that, without a reasonable reason to have that crowbar, it's assumed your intent is to use it as a weapon.
If I carry a baseball bat in my back seat, same deal. If I happen to be on the way to a baseball game that I play in, it's certainly not.
Symantec, and other antivirus companies, are no different than any other company person out there.. they are NOT elected officials, and are not police officers, or other law enforcement officers.
They have the same level of access, as far as the law is concernd, to virus materials as you or I do. To outlaw sharing such materials means an exception has to be made for them... and that leads to a government controlled, adn enforced, business... something we don't want.
1 - Vonage already pays the phone companies.. hwo do you think their system integrates with the phone grid? 2 - Vonage is NOT your typical last-mile phone company.. and despite what regulation may say, you are already paying either a DSL or Cable provider for the last mile.. and using vonage as a digital service on top of it.
Vonage does not have the benefit of owning the last mile, as your local carriers do... it's not vonages fault if hte local carriers can't make a profit even with all the resources tehy have.. we all know they are too slow to change.
This could be multicast... provided the network is setup correctly. That makes it a lot easier.
Also, in this kind of setup you often keep a copy of the master image locally on the dive of each machine, on a separate slice / utility parittion... if done properly this lets you re-image in seconds or minutes,
let's assume eth0 is "outside" 66.32.64.1, say... and eth1 is "inside" 192.168.0. The behavior you stated won't happen unless there is an additional rule to block packets arriving for other addresses... becaues
a) forwarding is on b) the kernel has a route to 192.168.0.0/24 to eth1.. so it has somewhere to forward the packet.
What security you DO get from the average NAT-in-a-box device, firewall, whatever, is not because of NAT but because of OTHER rules and things put in besides NAT.
Quoting that RFC number sure made you look smarter. I'm talking about a threat from your ISP, not from me across the world.. you have no way of controlling whether or not that route exists... and assuming "RFC 1518 says they aren't routed normally on the net" means if I use those addresses, I'm safe, is rediculous.
A single NAT rule is not enough for anyone out there, and you won't find many devices in the home or business market (other than load balancers) that use JUST a nat rule.. all of them have other security measures in place, either built into the default nat setup, or put alongside it by default... but be very clear, nat is not a necessary component to get the same security.
The article referred to not needing nat in the future. Then the guy says "I wont' be quick to give up my NATed firewall." implying that the NAT has something to do with it." All the security he wants, he gets without NAT... so his allegation that NAT will stay because of his need for a firewall is absurd. Get it? Look at the topic.
The original posting mentioned that nat would be around because he "Liked being behind his NAT firewall"... my point was only that NAT has nothing to do with it... and that what he really likes is the firewalling, not the nat.
I'm not trying to bash NAT products, or say NAT is bad.. just that.. we are talking about whether or not we will be using NAT so much in the future, and a LOT of people are thinking and saying "YES, because it's secure" which is wrong.
In the future, I bet we will still have little SOHO firewalls.. but we won't be using the NAT feature.
rp_filter is supposed to be turned on when forwarding is enabled, yes.
reverse path filtering has nothing to do with my example though... and nothing to do with NAT.
ip_forwarding is about routing.... and in routing there is no sense of "inside" or "outside"... no concept of which direction a connection came from.
rp_filter serves to drop packets that look like they were sourced at one interface, but arrived on another one. It's a limited form of spoof protection. It has no knowledge of higher layer protocols like TCP, and certainly no kind of session tracking.
In this case, my source address is perfectly valid, and so is the destination, and no spoofing is involved.
You should never rely on rp_filter for anything.. your firewall rules should take care of that in a more absolute way.
I am in no way trolling. I am also in no way implying that "NAT is bad" or "NAT devices are insecure".
The article was about NAT... and NAT is not in any way related to firewalling, other than by conveniently often being handled by the same device. So a mention that "Nat won't go away becaues I like the security of being behind my natted firewall" is totally inaccurate. Yes, I got the firewall part.. but what's NAT got to do with that? Nothing, it doesn't need to be there.
Can I name any appliances that don't do firewalling as well as NAT? Not offhand, nope.. though I can mention a few configurations of cisco routers or linux boxes that can easily accomplish NAT with no firewalling (and have used both with good reason)
I understand the concepts quite well, thanks. A single snat rule works one way... yes, correct.
So, what happens when I send, let's say, a ping... to your IP address (192.168.1.3) behind your little linux NAT box that ONLY has an SNAT rule, and no other filtering enabled. It has forwarding enabled, and SNAT.. it's a pure NAT box.
Let's pretend for a moment I have a buddy at the ISP, and I've had them add a route to your location for that network... so routing isn't an issue.
Do you think your nat box is going to reject the packet I'm sending? It's not.. it's going to forward it right to your workstation.. it has the proper address.. and there are no rules in place to prevent it. If it DOES reject it, in a typical linux nat/firewall setup, it is because of a rule on the FORWARD table, usually set to not allow things to initiate from outside.. but then, that has nothign to do with nat, does it....
Will the SNAT rule cause issues with the return packets? Yes... but the fact is, I just routed traffic to your machine.. and that's all it takes to send several of the latest worms.. a single UDP datagram.
Nobody is saying there is one true firewall, or one true way to set it up. in fact I'm not saying anything at all about wha you SHOULD do for security.. only that the feature we call NAT is not a security feature, but a convenience one. All the cool pocket firewalls we have will be just as useful with IPV6 WITHOUT NAT... the ONLY purpose of NAT is to translate addresses.. and all the other percieved security features of NAT are actually firewalling features that could equally be had without NAT.
I'm not faulting NAT whatsoever, NAT is good, NAT is great..
but NAT is not security.
Perhaps my point is too subtle... let me try to put it another way.
All the security features you think you get by using NAT are actually not related to NAT at all.. they just happen to be configured along side it, and nobody ever really thinks about it. All of them are available, and work equally well, without NAT in the picture. NAT works equally well without any security features.
My point is not that "NAT devices are insecure" or that NAT is evil.. but that implying that NAT == sequrity in any way, shape, or fashion, is wrong.
What you are describing is typical of hardware NAT firewalls like linksys, dlink, etc,,or most PROPERLY configured firewall/NAT gateways...
But in the example I gave, there is no filtering enabled on incoming/outgoing connections.. the only thing being done (other than routing) is NAT...
and NAT has nothing to do with blocking connections... which was the original point.
If you take a linux box, turn on forwarding, and set up SNAT (or masquerade) in prerouting.. you have EVERYTHING you need to share one internet IP address among many computers using a private local network..... and NOTHING you need to enforce any kind of security.
So, yes, I agree that if you control your nat router, you can set it up so that the ISP cannot initiate inbound TCP.... but that is not related to NAT.
You THINK it's related to NAT, because you always see the two set up together.. but they are not related.
The way IPV6 is designed, it will be easier for the ISP to just assign you real address space to all your computers. By "easier", I mean "easier than doing NAT"
IT's not all a scam... the reason ip addresses cost money now, and nat is so common, isn't really becuase ISPs are greedy.. its' because at some point, the technical guys said "Look we don't have enough space for everyone, and it's a pain to manage" so they give out one address per connection... and at some point , after it was determined addresses were sort of scarce, the ISP figures "If there is demand, we can always sell it"
If you think NAT buys you anything, you shouldn't be working in the security business.
What you might mean is that you have little hardware NATting firewalls that, in ADDITION to doing NAT also have some security features enabled (not forwarding connections from outside, for instance), so you don't have to do any work... but NAT by itself provides absolutely no security whatsoever.
Those little boxes could be Just as easy to use if we were routing real address space, and they could provide the exact same thing... and it's not harder. The only reason they do NAT is because there is a need for NAT.. not because it is easier, or more secure.
After the configuration I mentioned, the user will be able to use multiple computers behind his NAT box, and they will all be able to surf the net using his one public IP address. So, as far as nat goes, it's doing it's job.
By "no security" i mean that, let's say his internal interface is 192.168.1.1/24.... if his nat box receives a packet on the outside interface destined for, say, 192.168.1.3, it will route it to the appropriate box. (The response may be obscured by the nat rules.. depending). An outsider now has complete access, more or less, to the network.
To be more secure, you also need to block all connections not originating inside the network... typically by - Deny forwarding by default - Permit forwarding of established connections - Only allow connections to be established from inside the network.
But.. that's not NAT.. that's just general firewall security stuff...
All I'm trying to say is that nat and security are two independent things, that only look similar at first.. you can have either one without the other.
Slashdot Mirror
Yup.. but clock speed isn't what I'm talking about.
You might find the G4 1Ghz / OS X lets you multitask better, and get MORE work done than the 3.5Ghz P4.... and in that case, clock speed is irrelevant, right?
Let's hear a report when you are done your test.
Okay.. so filing ahead of time to sell your stock, as required by law, is actually evidence of pump and dump. Mmhmm....
That is the REASON the VP has to FILE AHEAD if he wants to sell his shares.... it's to avoid insider trading charges.
It's not insider trading.. as long as he is trading on the same info as everyone else.. it's fine.
Pretend for a minute you are a SCO shareholder... just joe american shareholder... would you sell right now (let's say profit was involved?). Whta if you konw their claims are bullshit.. should you selling be illegal?
Great. I hope it dies. Telemarketing is the phone equivalent of spam.
If only we could deal with spam so easily.
Leave my fucking phone alone.
Try the mac. The clock speeds are misleading.
I'm not going to tell you that a G4/1Ghz is faster than a 2.4Ghz P4......but...
You might find you actually get more work done with less stress on the *cough* slower mac... and that's really the point, isn't it?
The traditional phone companies have the infrastructure, so VOIP means you are paying them anyway.
Yes, the tax structure needs to change.. however..
The whole idea of regional and local phone calls is going to change... it's an artifact of the old phone system. The phone numbering plan will change, everything will change... VOIP is just the first step in getting away from that, as it provides ineroperability with the old phone system.
We will have to get past the laws and antiquated rules regarding the absolute waste of resources the POTS system is, start a NEW system of data to every home and location, and a way to charge for it (or otherwise maintian it), and let voice service become just another data service with certain QoS constraints (in this case, low jitter)
So you mean that you have to hand over your driver's license to every merchant, and the only way around this is degaussing your card?
What about simply not giving it to them? I'm pretty sure if I was trying to pay for a pizza or something and the cash kid asked for my driver's license I'd say "No"
You mean for credit card purchase in Texas you have to provide a driver's license? Wow.. the rest of the world, you can just use your credit card....
But there is privacy, then there is privacy......
I don't care if someone sees me out in public. I DO care if someone is following me around, and keeping a record of everything I do.
I ESPECIALLY care if that someone is my GOVERNMENT. I did not elect them to spy on my personal life.
So you would not object to filling out a form every time you left your house or retrned, indicating where you went, the time, what you were wearing, the speeds you drove, or walked, and what time you entered/exited form public view at all times?
I think we could all agree, especially with PUBLIC transit.. that tracking people for demographic purposes is actually helpful, and could help build a better system... but we coudl also agree that we don't want a few people in a position of power to just be able to punch a button and bring up everywhere we went on a daily basis.
That's their fault, regardless of MS or anyone else. IF they can't be bothered to keep their stuff up to date this late in the game, what good are they?
Hell, at least welchia will patch their systems for them...
The more I feel that, regardless of paperwork, or whatever agreements they signed... most of us consider the .com registry and, to a larger degree, the entire DNS system to be a large public trust at the top levels. It works because we all cooperate, and agree to use it... and ONLY because of that.
I think, though of course the devil is in the details, it's time that Verisign learned that it's power comes from us, only because we allow it.
How we do that is another story.
Unless you have a good reason to have that crowbar there... like you are a construction worker, and your tools are in the back seat, and you are on the way home form work.
A crowbay kept at the ready to bash someone with qualifies as a weapon. A crowbar that just happens to be present without that intent, is not. The idea is that, without a reasonable reason to have that crowbar, it's assumed your intent is to use it as a weapon.
If I carry a baseball bat in my back seat, same deal.
If I happen to be on the way to a baseball game that I play in, it's certainly not.
by the antivirus comercial sector.
Why won't it fly? Simple.
Symantec, and other antivirus companies, are no different than any other company person out there.. they are NOT elected officials, and are not police officers, or other law enforcement officers.
They have the same level of access, as far as the law is concernd, to virus materials as you or I do. To outlaw sharing such materials means an exception has to be made for them... and that leads to a government controlled, adn enforced, business... something we don't want.
This name has nothing to do with wind.. and everything to do with how long winded it's politicians were.
1 - Vonage already pays the phone companies.. hwo do you think their system integrates with the phone grid?
2 - Vonage is NOT your typical last-mile phone company.. and despite what regulation may say, you are already paying either a DSL or Cable provider for the last mile.. and using vonage as a digital service on top of it.
Vonage does not have the benefit of owning the last mile, as your local carriers do... it's not vonages fault if hte local carriers can't make a profit even with all the resources tehy have.. we all know they are too slow to change.
This could be multicast... provided the network is setup correctly. That makes it a lot easier.
Also, in this kind of setup you often keep a copy of the master image locally on the dive of each machine, on a separate slice / utility parittion... if done properly this lets you re-image in seconds or minutes,
Okay... good example.
let's assume eth0 is "outside" 66.32.64.1, say... and eth1 is "inside" 192.168.0.
The behavior you stated won't happen unless there is an additional rule to block packets arriving for other addresses... becaues
a) forwarding is on
b) the kernel has a route to 192.168.0.0/24 to eth1.. so it has somewhere to forward the packet.
And I don't want to keep repeating myself.
NAT is not firewlaling. NAT provides NO security.
What security you DO get from the average NAT-in-a-box device, firewall, whatever, is not because of NAT but because of OTHER rules and things put in besides NAT.
Quoting that RFC number sure made you look smarter. I'm talking about a threat from your ISP, not from me across the world.. you have no way of controlling whether or not that route exists... and assuming "RFC 1518 says they aren't routed normally on the net" means if I use those addresses, I'm safe, is rediculous.
A single NAT rule is not enough for anyone out there, and you won't find many devices in the home or business market (other than load balancers) that use JUST a nat rule.. all of them have other security measures in place, either built into the default nat setup, or put alongside it by default... but be very clear, nat is not a necessary component to get the same security.
The article referred to not needing nat in the future. Then the guy says "I wont' be quick to give up my NATed firewall." implying that the NAT has something to do with it."
All the security he wants, he gets without NAT... so his allegation that NAT will stay because of his need for a firewall is absurd.
Get it? Look at the topic.
And that's the point.
The original posting mentioned that nat would be around because he "Liked being behind his NAT firewall"... my point was only that NAT has nothing to do with it... and that what he really likes is the firewalling, not the nat.
I'm not trying to bash NAT products, or say NAT is bad.. just that.. we are talking about whether or not we will be using NAT so much in the future, and a LOT of people are thinking and saying "YES, because it's secure" which is wrong.
In the future, I bet we will still have little SOHO firewalls.. but we won't be using the NAT feature.
rp_filter is supposed to be turned on when forwarding is enabled, yes.
reverse path filtering has nothing to do with my example though... and nothing to do with NAT.
ip_forwarding is about routing.... and in routing there is no sense of "inside" or "outside"... no concept of which direction a connection came from.
rp_filter serves to drop packets that look like they were sourced at one interface, but arrived on another one. It's a limited form of spoof protection. It has no knowledge of higher layer protocols like TCP, and certainly no kind of session tracking.
In this case, my source address is perfectly valid, and so is the destination, and no spoofing is involved.
You should never rely on rp_filter for anything.. your firewall rules should take care of that in a more absolute way.
I am in no way trolling.
I am also in no way implying that "NAT is bad" or "NAT devices are insecure".
The article was about NAT... and NAT is not in any way related to firewalling, other than by conveniently often being handled by the same device. So a mention that "Nat won't go away becaues I like the security of being behind my natted firewall" is totally inaccurate. Yes, I got the firewall part.. but what's NAT got to do with that? Nothing, it doesn't need to be there.
Can I name any appliances that don't do firewalling as well as NAT? Not offhand, nope.. though I can mention a few configurations of cisco routers or linux boxes that can easily accomplish NAT with no firewalling (and have used both with good reason)
I understand the concepts quite well, thanks.
A single snat rule works one way... yes, correct.
So, what happens when I send, let's say, a ping... to your IP address (192.168.1.3) behind your little linux NAT box that ONLY has an SNAT rule, and no other filtering enabled. It has forwarding enabled, and SNAT.. it's a pure NAT box.
Let's pretend for a moment I have a buddy at the ISP, and I've had them add a route to your location for that network... so routing isn't an issue.
Do you think your nat box is going to reject the packet I'm sending? It's not.. it's going to forward it right to your workstation.. it has the proper address.. and there are no rules in place to prevent it.
If it DOES reject it, in a typical linux nat/firewall setup, it is because of a rule on the FORWARD table, usually set to not allow things to initiate from outside.. but then, that has nothign to do with nat, does it....
Will the SNAT rule cause issues with the return packets? Yes... but the fact is, I just routed traffic to your machine.. and that's all it takes to send several of the latest worms.. a single UDP datagram.
Nobody is saying there is one true firewall, or one true way to set it up. in fact I'm not saying anything at all about wha you SHOULD do for security.. only that the feature we call NAT is not a security feature, but a convenience one. All the cool pocket firewalls we have will be just as useful with IPV6 WITHOUT NAT... the ONLY purpose of NAT is to translate addresses.. and all the other percieved security features of NAT are actually firewalling features that could equally be had without NAT.
I'm not faulting NAT whatsoever, NAT is good, NAT is great..
but NAT is not security.
Perhaps my point is too subtle... let me try to put it another way.
All the security features you think you get by using NAT are actually not related to NAT at all.. they just happen to be configured along side it, and nobody ever really thinks about it. All of them are available, and work equally well, without NAT in the picture. NAT works equally well without any security features.
My point is not that "NAT devices are insecure" or that NAT is evil.. but that implying that NAT == sequrity in any way, shape, or fashion, is wrong.
What you are describing is typical of hardware NAT firewalls like linksys, dlink, etc, ,or most PROPERLY configured firewall/NAT gateways...
But in the example I gave, there is no filtering enabled on incoming/outgoing connections.. the only thing being done (other than routing) is NAT...
and NAT has nothing to do with blocking connections... which was the original point.
If you take a linux box, turn on forwarding, and set up SNAT (or masquerade) in prerouting.. you have EVERYTHING you need to share one internet IP address among many computers using a private local network..... and NOTHING you need to enforce any kind of security.
So, yes, I agree that if you control your nat router, you can set it up so that the ISP cannot initiate inbound TCP.... but that is not related to NAT.
You THINK it's related to NAT, because you always see the two set up together.. but they are not related.
The way IPV6 is designed, it will be easier for the ISP to just assign you real address space to all your computers. By "easier", I mean "easier than doing NAT"
IT's not all a scam... the reason ip addresses cost money now, and nat is so common, isn't really becuase ISPs are greedy.. its' because at some point, the technical guys said "Look we don't have enough space for everyone, and it's a pain to manage" so they give out one address per connection... and at some point , after it was determined addresses were sort of scarce, the ISP figures "If there is demand, we can always sell it"
IPV6 will make things easier.. fosho
If you think NAT buys you anything, you shouldn't be working in the security business.
What you might mean is that you have little hardware NATting firewalls that, in ADDITION to doing NAT also have some security features enabled (not forwarding connections from outside, for instance), so you don't have to do any work... but NAT by itself provides absolutely no security whatsoever.
Those little boxes could be Just as easy to use if we were routing real address space, and they could provide the exact same thing... and it's not harder. The only reason they do NAT is because there is a need for NAT.. not because it is easier, or more secure.
I'm referring to the average home user here.
By full nat, no security, I mean this:
After the configuration I mentioned, the user will be able to use multiple computers behind his NAT box, and they will all be able to surf the net using his one public IP address. So, as far as nat goes, it's doing it's job.
By "no security" i mean that, let's say his internal interface is 192.168.1.1/24.... if his nat box receives a packet on the outside interface destined for, say, 192.168.1.3, it will route it to the appropriate box. (The response may be obscured by the nat rules.. depending). An outsider now has complete access, more or less, to the network.
To be more secure, you also need to block all connections not originating inside the network... typically by
- Deny forwarding by default
- Permit forwarding of established connections
- Only allow connections to be established from inside the network.
But.. that's not NAT.. that's just general firewall security stuff...
All I'm trying to say is that nat and security are two independent things, that only look similar at first.. you can have either one without the other.