I'm not aware of any common implementations of NAT (we're actually talking about PAT) besides Cisco IOS that will route just any packet to the internal network while in NAT mode. But for most home users, it amounts to the same thing as a firewall blocking incoming traffic.
Linux's does. I just confirmed it on my machine here with vmware.
I'm not aware of any common implementations that don't just route packets when only doing NAT. And that's all they should do. There is nothing in the NAT standards (RFCs 1631 and 2663) that specify dropping packets that aren't in the NAT process. If a device is doing such things, then by definition it is doing more than just NAT. It is doing at least packet filtering and probably a stateful firewall.
NAT makes it incredibly easy for companies who don't own their own IP block to move to differerent ISPs at will.
As do properly set up DNS and DHCP.
Not nearly as easy as NAT. Especially when an internal WAN is involved. I'm talking about larger networks than 10 PCs and a Windows 2000 file server.
Ok, maybe not quite as easy as NAT. But it isn't immensely difficult. I would argue that the benefits of using routable addresses (with a firewall) are worth the extra trouble when changing upstream providers.
How in the world is SSH broken by NAT? I use it all the time through NAT.
Do you ever use it to access multiple machines behind NAT? And what do you do when it yells at you about screwy host keys? Just ignore it and hit yes, thereby negating most of the security SSH provides you?
Most IPsec implementation have a NAT traversal mode.
See RFC 2663, section 9.0. Here's the juicy bit:
With the exception of RSIP, end-to-end IP network level security assured by current IPsec techniques is not attainable with NAT devices in between.
And again, there are real problems if you have multiple machines doing IPSec behind the NAT. The VPN masquerade configuration in the linux kernel warns about this.
And PPTP? That is solved by NATing to a pool of public addresses.
Well if you're going to all that trouble, why don't you just give the actual machines the public addresses and use a firewall, thereby significantly reducing the complexity of this setup?
As does IPv6. Or does this hypothetical business have more than 2^64 computers?
NAT has the distinct advantage of being available now.
As does IPv6 (at least moreso outside North America). Perhaps if less people were disillusioned by NAT, it would be more common there too.
I also work with MANY businesses and NAT is a pain in the ass, especially for those with all but the simplest of needs.
Then I suggest that you just don't know how to take advantage of the benefits of NAT. For example, I do work for a medium sized financial institution about to change ISPs and public subnet. If they didn't do NAT, it would be a huge problem trying to coordinate a re-IP with their many remote locations, vendors, and clients. NAT is allowing them to make a seemless transition. This kind of thing happens more often than you'd think.
I've renumbered networks with multiple locations, one with >150 machines at a location. As I admitted already, it isn't quite as simple as with NAT, but it isn't the extreme pain in the ass you're making it out to be if you're using DHCP and have systems configured to use DNS hostnames whereever possible instead of hard coded IP addresses.
Until IPv6 catches on, I won't setup a client without NAT. Well, unless they have some critical application that absolutely will not work through NAT, but so far that hasn't been much of a problem.
Same here. Most of my clients don't want to pay the two or three limbs that ISPs charge for big enough routable blocks of addresses.
Right, but NAT in a practical sense (i.e. a Linksys router - the "NAT" that 99.9% of the public is talking about) is effectively a stateful firewall - for every packet coming in from the WAN it tries to match it up with an outbound connection (or it forwards it to a specified machine if the rules are setup such), and packets which don't map it drops to the ground.
That's just NAT and a firewall combined into one system. NAT doesn't drop packets, it just alters certain ones under certain circumstances. The part about dropping all packets except those that are replies to outbound connections that you mentioned - that's a stateful firewall. That is above and beyond the definition of NAT. If you yanked all the NAT functionality out of those linksys routers and left only the stateful firewall behind, they would be no less secure.
I'm pretty sure we are actually talking about PAT (Port Address Translation) and not one-to-one IP translations. PAT is stateful by nature and disallows any inbound traffic that isn't associated with an outbound connection. Whether you like it or not, it does offer protection that would otherwise require a firewall.
I guess that's what we're talking about. Everytime I've ever used it it was called NAT, and yes what I am thinking of is stateful by nature. It keeps track of translated outbound connections and watches for the return traffic, and if it matches it translates them back again. But the point is it doesn't have any effect on incoming traffic which is not in its table of translated connections. So if I try to establish a connection out of the blue to a computer on the inside of your network while your router is doing NAT only, your router will just happily pass my packet along, un-munged, to my target machine.
Now your router might say, block everything by default, allow outbound traffic and keep track of outbound connections and only allow replies back in, but that is a basic stateful firewall, not NAT (or PAT).
Explain to me why a person with NAT is only "prentending" to have security and a person with a router blocking incoming connections has real security. It amounts to the same thing. Nobody can connect to your PC from the internet...
Ok, I'll explain it: The person whose router is doing only NAT is not blocking any incoming connections at all. If the connection in question is broadband, people on the same subnet can set up routes to the vunlerable party's RFC1918 address block with that person's public address as the gateway. Anyone with sufficient access to the ISP's routers can set up these routes to pass traffic into your network from anywhere in the ISP. So if you're using NAT without a firewall, your network is wide open to nearby people on the same ISP or anyone with sufficient access to the ISP's systems. For starters.
NAT makes it incredibly easy for companies who don't own their own IP block to move to differerent ISPs at will.
As do properly set up DNS and DHCP.
For businesses, NAT is great. Few businesses use protocols that are broken by NAT.
SSH? PPTP? IPSec? These protocols are all broken by NAT. Many businesses use them.
It alows nearly unlimited internal network growth without worrying about getting a new public subnet when you outgrow your old one.
As does IPv6. Or does this hypothetical business have more than 2^64 computers?
I work with MANY businesses and NAT is great. The only problem I have with NAT in a business environment is dealing with the difference between internal and external DNS. That can be a pain.
I also work with MANY businesses and NAT is a pain in the ass, especially for those with all but the simplest of needs.
Huh? You claim that NAT "does nothing for security", but then go on to claim that it's the same as a firewall that disallows incoming connections : No shit. That's precisely why NAT does "something" for security -- it's like a limited firewall that only allows outgoing connections, or replies to those connections.
That's totally wrong. NAT does not prevent any kind of packets from moving in either direction. It just modifies packets moving in a certain direction. If you have NAT without any firewall rules to actually disallow incomign connections, your network is quite vulnerable.
You can't send a packet to a box behind a NAT unless it's part of a connection initiated by the machine behind the NAT.
Wrong. You can send all the packets you want to a machine behind a NAT router if the routing on the outside is set up right.
It is a firewall which only allows packets related to connections that were established by something on the inside. A firewall is what you are thinking of. As has been said many many times before, NAT has abosolutely nothing to do with security.
No, there is nothing simple about remembering those addresses (haven't there been studies that say 7-10 numbers in a row is about all we can remember?)
And IPv4 addresses can be up to 12 digits long.
So here we have 10+ numbers and letters that don't make much sense
As opposed to 4-12 digits that don't make much sense?
Nothing is simplified there until you get the DNS up and running for it
Nothing is simplified for IPv4 until you get DNS up and running. And I would argue that IPv4 is more complicated if you have NAT to deal with.
(not that this is hard or anything but it isn't exactly easy)
What is hard about it, exactly, that isn't hard with IPv4? Aside from the fact that the addresses are harder to remember?
Most people that want to have multiple computers connected to the Internet use a NAT router and at least protect themselves SOMEWHAT from the outside threats
NAT does not protect anyone from outside threats. A firewall does. If you have NAT without a firewall, your network is quite insecure. If you have a firewall without NAT, your network is no less secure. NAT has nothing to do with security.
Can you imagine what would happen if all the Comcast retards were straight to the Net with their own IP on each computer?
It probably wouldn't be much different than if they were straight onto the Net under IPv4 without a firewall.
You think Comcast is going to move for a switch when they make $10/mo per extra IP?
They won't have a choice if demand goes up sufficiently.
Get with the times.:-) It's pretty common nowadays to have ethernet switches with a fiber ring uplink.
I know that. It just sounds kind of wierd and overbuilt. I worked at a big retail store about 10 years ago, and the IT infrastructure wasn't nearly this complicated. And last I was in a walmart I didn't notice so many network connected machines around the store to need this kind of stuff. You'd think that their needs would be simple enough to just run cable drops all throughout the store to one central location.
Your typical store has at least 6 sets of switches: UPC office (where the servers are kept), GM (general Merchandise), GRC (Grocery), Garden Center, PICS (In the electronics Department, and Receiving. These switches are laid out into at least 3 vlans: POS, Non POS, and Wireless. By Default, the POS vlans are set to ports 1-12 on the switch. The switches are connected by a fiber backbone that usually involves two separate physical routes...so if one is cut, the other will be able to pick up the load. They're concnentrated to some cisco routers, and it'll go out either a 56K modem line or a T1 line, using a Hughes Sattelite link as a backup.
So these 6 sets of switches are located in various places in the store? And there's a fiber backbone linking them all togheher?
Then whose fault is it? Who is responsible for their computers?
If they were forced to take responsibility for their computers and maintain their security then there would be a lot fewer zombie machines spewing spam and ddos attacks at other people. I'm guessing most of these students wouldn't care even if they knew what was running on their systems as long as they could keep doing what they want.
If SP1 or 2 screws up their machine because it was loaded with spyware, that is excellent. The owner is now forced to take responsibility for their machine and fix it rather than continuing to allow it to bother everyone else on the internet. Those machines should not be anywhere near an internet connection in their current state.
He is totally avoiding both questions about comparison with postgres and why should anyone even care anymore about their database when postgres is more advanced already. He didn't put out a single reason or a feature that would attract people from postgres to them.
That's what marketing people and managment are really good at - talking a whole lot but actually saying nothing at all. He wrote over 100 words in response to the postgres/mysql comparison questions, but didn't say a single meaningful thing. Are there classes in business school that teach this skill or something? "Empowering Best-of-Breed Verbally-Enabled E-Solutions 101"?
How is it my buisness? Well they made it my business. I can't not listen to them. I sincerely wish it were not my business, but they decided to force it to be my business.
Oh, and by the way, Islam is NOT a religion. I don't know of any other religion in the world that says it's okay to cut off people's heads and fly planes of innocent people (who are not soldiers) into a building full of more civilians.
Islam doesn't say it is okay to do that. A few cults leaders did.
Islam is a reason for crazy morons to blame their sociopathic behavior on someone/thing else. God told me to do it!
And crasy morons use Christianity to blame their sociopathic behavior on something else too.
I'm not aware of another religion that is so violent, teaches you to hate everyone that is no like you,and treats women like dog shit as much as Islam. I am atheist, but at least Christianity teaches foregiveness and love (except for Catholocism, which only teaches fear and okays criminal behavior, like Islam).
The bottom line is the religion is completely irrelevant in this war. If you swapped Christianity in the US and Europe with Islam in the middle east, I assure you, noone's behaviour would be any different. The trade centers would be leveled in the name of Jesus, and Mohammed commands Bush to wage war in the middle east. As an athiest you should acknowledge that religions are just constructs put together by men, and so men can make them say anything they want.
Religion works like this: some sociopath comes along and says 'god (of any religion) told me that we need to do this or that. you should follow me.' and a bunch more nutcases believe him and carry out his wishes. People aren't following some god, they're following a man and his interpretation of some book written thousands of years ago (if even that).
You can't blame Islam for anything. There are as many interpretations and cults in that religion as there are in Christianity. One leader says Islam commands them to kill many americans, another leader says to make peace. Who is the true Muslim? Neither of them, because there is no true Islam and there is no true Christianity. There are just interpretations and fabrications made by men.
1. They started the war by attacking us, so WE are the ones that are fighting back.
No, iraq didn't attack us. However the afhanistan government at the time (Taliban) was sheltering and hiding those that did, so that was is much more easily justifiable.
2. Your're right - it is war. So why don't we just level the enemy into a fine dust and come back home?
That would probably violate some war crime laws and would make us as bad as al Quaeda.
3. I think freedom FROM religion is as equally important as freedom OF religion.
So get a better skin? See, there's the beauty of the system - you can download another one!
Well the point is even if I found a nice looking skin, there are still things that skin doesn't do that a standard UI doesn't. It doesn't obey my global settings for things like display DPI and font sizes. I've never tried to design a skin before, but as far as I can tell they are all just a bunch of bitmaps. Themes are more advanced. They give you the prettiness of skins and the flexibility and functionality of a plain GUI.
Doesn't the version mismatch between cstrike and halflife cause problems? I remember at lanparties I've been to, a very common problem was people accidentally installing the latest CS and forgetting to upgrade halflife too.
The first suggestion (sending only the character positions you can directly observe) would actually reduce the network load, since the amount of data to send would shrink.
Well that still wouldn't thwart aimbots, except for opponents behind walls. But you're not as interested in those anyway.
The 'security module' is only downloaded on those servers that are running VAC. (Valve Anti-Cheat) I've joined hundreds of servers without having to download the VAC security module.
Well I guess Nat Sel is different, but I have never been on a counter strike server that I did not have to download the security module. Not one.
Cheaters? Find a server using CD (Cheating Death) and play on those...or just switch. Only about once a month at most do I encounter a server with a cheater. (I mostly play Natural Selection, however, YMMV)
I see servers are now telling users that they will start using the third party anti-cheat programs again like they did in the pre-steam days. In my experience those seem to work a little better, maybe because they're updated more frequently but ultimately they'll be cracked too for the same reasons Valve was.
If Valve is worth their salt, they'll have to move to limit the information sent to players, giving them only what they should be able to observe and nothing more. Sending only the character positions you can directly observe would be one method, which would destroy wallhacks, but leaves aimbots unscathed. I think the only good way to counter aimbots longterm is to offload rendering to a server, but that's borderline insane. Both of these suggestions mean an increase in lag, but that's what we get for using a system where failures to transmit mean waiting for random milliseconds.
This strategy is frequently discussed w.r.t. cheating, moving more stuff onto the server side, but that's impractical for performance reasons. Performance (network in particular) is pretty important in games.
When I first started playing the Steam versions of Valve's games, I thought this 'security module' was a big, critical piece of the game's code, and you had to download it all the time because Valve changed it frequently to stay one step ahead of the reverse-engineers and there were many versions in rotation at once. But apparently that's not how it works.
A shame too, that method might actually work. You can't prevent people from reverse engineering code running on their own computer, but reverse engineering takes time. If someone on the other side is releasing new versions faster than they can be reverse engineered, then they've effectively thwarted the reverse engineers. I don't think there will ever be a machine which can prevent a human from reverse engineering itself. But if there's another human constantly changing the machine, working against the reverse engineer, they might succeed. It would just be a question of which human can work faster. I doubt we'll ever see this from a video game company though. That would require they have programmers employed to do this. They'd rather just sell the game and be done with it.
No, currently Steam acts as a worthless piece of crap which makes it impractical to play the latest counterstrike at an offline LAN party since you can't just download a specific version when you want.
It also forces you to spend 20-30 seconds each time you connect to a game server to download a 'security module' to prevent cheating. Needless to say, counter-strike is full of cheaters once again despite this security module garbage. However at the rate Valve is screwing up HL/CS, they won't have to worry about cheaters in the future anyway because it will not be worth anyone's time to play their games.
Interconnect delay (latency) is reduced. Signals propagate traces on a die (silicon chip) are orders-of-magnitude faster than printed-circuit board (PCB) traces.
But isn't most of the communication cpu to/from memory, not cpu to cpu?
Slashdot Mirror
Linux's does. I just confirmed it on my machine here with vmware.
I'm not aware of any common implementations that don't just route packets when only doing NAT. And that's all they should do. There is nothing in the NAT standards (RFCs 1631 and 2663) that specify dropping packets that aren't in the NAT process. If a device is doing such things, then by definition it is doing more than just NAT. It is doing at least packet filtering and probably a stateful firewall.
Not nearly as easy as NAT. Especially when an internal WAN is involved. I'm talking about larger networks than 10 PCs and a Windows 2000 file server.
Ok, maybe not quite as easy as NAT. But it isn't immensely difficult. I would argue that the benefits of using routable addresses (with a firewall) are worth the extra trouble when changing upstream providers.
Do you ever use it to access multiple machines behind NAT? And what do you do when it yells at you about screwy host keys? Just ignore it and hit yes, thereby negating most of the security SSH provides you?
See RFC 2663, section 9.0. Here's the juicy bit:
And again, there are real problems if you have multiple machines doing IPSec behind the NAT. The VPN masquerade configuration in the linux kernel warns about this.
Well if you're going to all that trouble, why don't you just give the actual machines the public addresses and use a firewall, thereby significantly reducing the complexity of this setup?
As does IPv6 (at least moreso outside North America). Perhaps if less people were disillusioned by NAT, it would be more common there too.
I've renumbered networks with multiple locations, one with >150 machines at a location. As I admitted already, it isn't quite as simple as with NAT, but it isn't the extreme pain in the ass you're making it out to be if you're using DHCP and have systems configured to use DNS hostnames whereever possible instead of hard coded IP addresses.
Same here. Most of my clients don't want to pay the two or three limbs that ISPs charge for big enough routable blocks of addresses.
That's just NAT and a firewall combined into one system. NAT doesn't drop packets, it just alters certain ones under certain circumstances. The part about dropping all packets except those that are replies to outbound connections that you mentioned - that's a stateful firewall. That is above and beyond the definition of NAT. If you yanked all the NAT functionality out of those linksys routers and left only the stateful firewall behind, they would be no less secure.
I guess that's what we're talking about. Everytime I've ever used it it was called NAT, and yes what I am thinking of is stateful by nature. It keeps track of translated outbound connections and watches for the return traffic, and if it matches it translates them back again. But the point is it doesn't have any effect on incoming traffic which is not in its table of translated connections. So if I try to establish a connection out of the blue to a computer on the inside of your network while your router is doing NAT only, your router will just happily pass my packet along, un-munged, to my target machine.
Now your router might say, block everything by default, allow outbound traffic and keep track of outbound connections and only allow replies back in, but that is a basic stateful firewall, not NAT (or PAT).
NAT doesn't require a firewall:
iptables -t filter -F
iptables -t nat -F
iptables -t nat -I POSTROUTING -o iface0 -j MASQUERADE
Ok, I'll explain it: The person whose router is doing only NAT is not blocking any incoming connections at all. If the connection in question is broadband, people on the same subnet can set up routes to the vunlerable party's RFC1918 address block with that person's public address as the gateway. Anyone with sufficient access to the ISP's routers can set up these routes to pass traffic into your network from anywhere in the ISP. So if you're using NAT without a firewall, your network is wide open to nearby people on the same ISP or anyone with sufficient access to the ISP's systems. For starters.
As do properly set up DNS and DHCP.
SSH? PPTP? IPSec? These protocols are all broken by NAT. Many businesses use them.
As does IPv6. Or does this hypothetical business have more than 2^64 computers?
I also work with MANY businesses and NAT is a pain in the ass, especially for those with all but the simplest of needs.
That's totally wrong. NAT does not prevent any kind of packets from moving in either direction. It just modifies packets moving in a certain direction. If you have NAT without any firewall rules to actually disallow incomign connections, your network is quite vulnerable.
Wrong. You can send all the packets you want to a machine behind a NAT router if the routing on the outside is set up right.
It is a firewall which only allows packets related to connections that were established by something on the inside. A firewall is what you are thinking of. As has been said many many times before, NAT has abosolutely nothing to do with security.
And IPv4 addresses can be up to 12 digits long.
As opposed to 4-12 digits that don't make much sense?
Nothing is simplified for IPv4 until you get DNS up and running. And I would argue that IPv4 is more complicated if you have NAT to deal with.
What is hard about it, exactly, that isn't hard with IPv4? Aside from the fact that the addresses are harder to remember?
NAT does not protect anyone from outside threats. A firewall does. If you have NAT without a firewall, your network is quite insecure. If you have a firewall without NAT, your network is no less secure. NAT has nothing to do with security.
It probably wouldn't be much different than if they were straight onto the Net under IPv4 without a firewall.
They won't have a choice if demand goes up sufficiently.
I know that. It just sounds kind of wierd and overbuilt. I worked at a big retail store about 10 years ago, and the IT infrastructure wasn't nearly this complicated. And last I was in a walmart I didn't notice so many network connected machines around the store to need this kind of stuff. You'd think that their needs would be simple enough to just run cable drops all throughout the store to one central location.
I don't know either. But I didn't say fiber, he did.
So these 6 sets of switches are located in various places in the store? And there's a fiber backbone linking them all togheher?
Then whose fault is it? Who is responsible for their computers?
If they were forced to take responsibility for their computers and maintain their security then there would be a lot fewer zombie machines spewing spam and ddos attacks at other people. I'm guessing most of these students wouldn't care even if they knew what was running on their systems as long as they could keep doing what they want.
If SP1 or 2 screws up their machine because it was loaded with spyware, that is excellent. The owner is now forced to take responsibility for their machine and fix it rather than continuing to allow it to bother everyone else on the internet. Those machines should not be anywhere near an internet connection in their current state.
That's what marketing people and managment are really good at - talking a whole lot but actually saying nothing at all. He wrote over 100 words in response to the postgres/mysql comparison questions, but didn't say a single meaningful thing. Are there classes in business school that teach this skill or something? "Empowering Best-of-Breed Verbally-Enabled E-Solutions 101"?
How is it my buisness? Well they made it my business. I can't not listen to them. I sincerely wish it were not my business, but they decided to force it to be my business.
You don't need to be anyone special to start judging someone if they pull up to you at a GAS station yapping on the phone while they handle the pump.
thicker skin? no, we'd need to grow some fire-resistant skin.
Didn't OS/400 (on the AS/400 aka iSeries) also evolve from OS/360?
Islam doesn't say it is okay to do that. A few cults leaders did.
And crasy morons use Christianity to blame their sociopathic behavior on something else too.
The bottom line is the religion is completely irrelevant in this war. If you swapped Christianity in the US and Europe with Islam in the middle east, I assure you, noone's behaviour would be any different. The trade centers would be leveled in the name of Jesus, and Mohammed commands Bush to wage war in the middle east. As an athiest you should acknowledge that religions are just constructs put together by men, and so men can make them say anything they want.
Religion works like this: some sociopath comes along and says 'god (of any religion) told me that we need to do this or that. you should follow me.' and a bunch more nutcases believe him and carry out his wishes. People aren't following some god, they're following a man and his interpretation of some book written thousands of years ago (if even that).
You can't blame Islam for anything. There are as many interpretations and cults in that religion as there are in Christianity. One leader says Islam commands them to kill many americans, another leader says to make peace. Who is the true Muslim? Neither of them, because there is no true Islam and there is no true Christianity. There are just interpretations and fabrications made by men.
No, iraq didn't attack us. However the afhanistan government at the time (Taliban) was sheltering and hiding those that did, so that was is much more easily justifiable.
That would probably violate some war crime laws and would make us as bad as al Quaeda.
Me too.
Well the point is even if I found a nice looking skin, there are still things that skin doesn't do that a standard UI doesn't. It doesn't obey my global settings for things like display DPI and font sizes. I've never tried to design a skin before, but as far as I can tell they are all just a bunch of bitmaps. Themes are more advanced. They give you the prettiness of skins and the flexibility and functionality of a plain GUI.
Doesn't the version mismatch between cstrike and halflife cause problems? I remember at lanparties I've been to, a very common problem was people accidentally installing the latest CS and forgetting to upgrade halflife too.
Well that still wouldn't thwart aimbots, except for opponents behind walls. But you're not as interested in those anyway.
Well I guess Nat Sel is different, but I have never been on a counter strike server that I did not have to download the security module. Not one.
I see servers are now telling users that they will start using the third party anti-cheat programs again like they did in the pre-steam days. In my experience those seem to work a little better, maybe because they're updated more frequently but ultimately they'll be cracked too for the same reasons Valve was.
This strategy is frequently discussed w.r.t. cheating, moving more stuff onto the server side, but that's impractical for performance reasons. Performance (network in particular) is pretty important in games.
When I first started playing the Steam versions of Valve's games, I thought this 'security module' was a big, critical piece of the game's code, and you had to download it all the time because Valve changed it frequently to stay one step ahead of the reverse-engineers and there were many versions in rotation at once. But apparently that's not how it works.
A shame too, that method might actually work. You can't prevent people from reverse engineering code running on their own computer, but reverse engineering takes time. If someone on the other side is releasing new versions faster than they can be reverse engineered, then they've effectively thwarted the reverse engineers. I don't think there will ever be a machine which can prevent a human from reverse engineering itself. But if there's another human constantly changing the machine, working against the reverse engineer, they might succeed. It would just be a question of which human can work faster. I doubt we'll ever see this from a video game company though. That would require they have programmers employed to do this. They'd rather just sell the game and be done with it.
No, currently Steam acts as a worthless piece of crap which makes it impractical to play the latest counterstrike at an offline LAN party since you can't just download a specific version when you want.
It also forces you to spend 20-30 seconds each time you connect to a game server to download a 'security module' to prevent cheating. Needless to say, counter-strike is full of cheaters once again despite this security module garbage. However at the rate Valve is screwing up HL/CS, they won't have to worry about cheaters in the future anyway because it will not be worth anyone's time to play their games.
Good work Valve.
But isn't most of the communication cpu to/from memory, not cpu to cpu?