Dave,
I agree fully. By todays standards, the NAT-firewall is no longer not
much of a shield.
I also agree that IPv4 is also not something to build on for the future,
stepping up to IPv6 is the way to go. One has to be prepared for it
since the transition is occurring now at a higher speed. Getting hold of
IPv4 addresses is increasingly hard.
It's worth noting that rolling ones own security scheme is very hard,
cryptos even more so. It's highly encouraged to "go with the flow" and
use at least one of the stock solutions that is developing with the
challenges. I just expect that the K4 development will do so very soon
after getting most of the basic things out of the way. Using a Linux
platform is a great way to do it, there will be plenty of tools there,
so it is down to use them wisely.
Cheers,
Magnus
On 2022-02-09 16:49, David Herring wrote:
Victor,
To answer your question directly, no, NAT does not provide adequate security
... for anything.
The best NAT can do is provide obfuscation, or “security by obscurity” which
has been proven beyond the shadow of any doubt to be no security whatsoever.
It just hides information that can be gotten through other means.
NAT is strictly for IPv4 and is thus unable to protect IPv6 hosts in any way,
unable to defend against man in the middle attacks, injections into existing
connections, port scanning attacks, internal willing host attacks….I dunno I
could probably go on but maybe you get the idea.
It seems that all attacks assume there is a NAT component somewhere in the
chain and are well prepared to defeat it as a matter of course. And they can in
very short order.
All NAT really accomplishes is it gives us the means to have way more IPv4
machines than we have address space for. It’s not security of any sort. I
don’t think it ever was.
If you are relying solely upon NAT to protect your home network, that you have
not already been hacked is just a matter of luck. I run a commercial quality
firewall on my network (thanks to almost 40 years of working in IT) and I get
scanned, probed and prodded all the time. Nearly all of them would have
defeated a NAT without firewall in a matter of seconds.
Now, if you have a firewall along with your NAT device, and my experience is
that many modern ISP devices do both firewall and NAT together, then as long as
you have not opened up ports or disabled firewall rules, then you are probably
OK. But the key point here is that you have a firewall. Security is really
outside of NAT’s wheelhouse.
73,
Dave - N5DCH
On Feb 9, 2022, at 1:29 AM, Victor Rosenthal 4X6GP <[email protected]> wrote:
Most home routers have NAT (network address translation). Does this provide
adequate security for this application?
If not, why not? Serious question, not a challenge!
73,
Victor, 4X6GP
Rehovot, Israel
CWops #5
Formerly K2VCO
https://www.qsl.net/k2vco/
.
On 09/02/2022 10:00, Henk Remijn PA5KT via Elecraft wrote:
The K4 is accessible through telnet on port 9200.
No security.
It is always a good idea to have security but I would prefer to have
the telnet without security and put the security in the network.
Make sure you have a good firewall between the internet and your
radio equipment. Dont trust your internet provider. Always put a
firewall between your internetprovider firewall/router en your home
network.
73 Henk PA5KT
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[email protected]
This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Message delivered to [email protected]
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[email protected]
This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Message delivered to [email protected]
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[email protected]
This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Message delivered to [email protected]
