Text 12573, 133 rader
Skriven 2010-11-24 11:19:31 av Michiel van der Vlist (2:280/5555)
     Kommentar till en text av Peter Knapper (3:772/1.0)
Ärende: Routers and firewalls
=============================
Hello Peter,

On Wednesday November 24 2010 17:05, you wrote to me:

 MvdV>> Computers have so much power these days, that I do not think this
 MvdV>> is an issue for that user with one computer.

 PK> However I was not thinking of processing power, rather reducing
 PK> complexity by removing the WAN interface requirement from the
 PK> Computer. This means that just about any computer can be dropped in
 PK> place of the original with no (or minimal) Networking changes
 PK> required. With a fixed Host doing the WAN interfacing, this would add
 PK> (IMHO) complexity to that one computer.

I see your point and share you opinion. Up to a point. True, having the WAN
interface implemented in a seperate device removes complexity from the
computer. Making it easier to replace. However it adds overall complexity to
the system by adding that extra device. If that device needs to be replaced,
you have to do the networking configuration anyway. So in case of just one
computer as far as overall complexity is concerned, there may be little or no
gain. The gain may even be negative.

 PK>> AND it allows me to place certain criteria on that connection,
 PK>> external to the machine in question, without the need to modify
 PK>> the Machine in question.

 MvdV>> Makes sense if you have more than one machine. Makes
 MvdV>> less sense if you have only one.

 PK> Even with one it makes perfect sense to me, as it allows me to place a
 PK> barrier between the Public world and the Private world.

In case of a single computer, it does not make much difference where you place
the barrier.

 PK> That extra Barrier adds complexity to the task of breaking it for the
 PK> hacker.

Ah, wait a minute. Now we are talking about an EXTRA barrier. In the previous
paragraph we were discussing removing complexity from the computer. Now, when
it is an EXTRA barrier, the reducing complexity no longer applies. An extra
barrier adds complexity.

 PK> Of course nothing is ever permanently resolved in this setup, as new
 PK> issues are found almost daily. However these "issues" are most likely
 PK> protocol specific.

I also note that two barriers are not necesarily harder to take than one. One 2
meter high wall may be more effective than two 1 meter high walls. Multiple
barriers are more effective if they are not of the same kind. A mote plus a
wall is more effective than two walls. In the latter case an intruder must be
able to climb, in the former case he must be able to swim as well.

 PK> If just one machine is managing that Barier, then I have to be pretty
 PK> confident on getting it exactly right, and I have worked in the
 PK> Professional Networking area for long enough to know that even purpose
 PK> built devices can still have bugs. One only has to search the Cisco
 PK> Database on fixed issues to find out about these...

All very true. No intrusion protection os perfect and it is an ongoing battle.

Still... if you have only one computer, you do not need a router, what you need
is a firewall. Then again the easiest and cheapest way for a home user to get
an external hardware firewall is to buy a home router...

 MvdV>> It is just that I get the impression that many think that a
 MvdV>> router with NAT is essential for connecting to the While in fact
 MvdV>> NAT is a kludge needed because ISPs will only give one IPv4 address
 MvdV>> to private customers.

 PK> I do not consider NAT a Kludge at all, however it IS an added
 PK> "work-around" to the limited IP Address space issue with IPV4,

I call it a kludge because it breaks a lot of things that have to be fixed with
other work arounds like UPnP. Things would be far less comples and work better
if there were no shortage of addresses and the Internet could work as origially
designed - full end to end connectivity for all devices. IPv6 will restore that
functionality but in the meantime we wil have to do with NAT if us end users
want to connect more than one devive to the InterNet.

 PK> PLUS it is used heavily to enhance protection to Private environments
 PK> that need Public access.

But that is only a side effect. The only protection that NAT (One to many NAT
to be precise) offers is that it drops unsolliciteted incoming packets because
it does not know where to forward them to unless explicitly told. A statefull
firewall does exactly that but without the holes created by work arounds to
make some p2p applications work across NAT.

 MvdV>> Also many seem to think that NAT is a safety feature. It is not.

 PK> NAT by defaut does add a (thin) layer of "safety" (IMHO), however like
 PK> most of TCP/IP, one realy does need to know what one is doing, before
 PK> one allows such a setup loose in Public...

You said it: a thin layer of safety....

 MvdV>> (*1) It may be that only 29 are available for the user. If what you
 MvdV>> get is actually a /27 subnet, than the one with the last five bits
 MvdV>> set to zero is the subnet address, the one with the last five bits
 MvdV>> set to one is the broadcast address and the modem istself will also
 MvdV>> take one address. But I am not sure if it works that way, and I
 MvdV>> have no way to check. Nor the need, as I will never get 32 IPv4
 MvdV>> addresses from my ISP.

 PK> You are right, using conventional Network design, however here in NZ,
 PK> with ADSL, (normally implemented as PPPoA) most Private Homes connect
 PK> using a /32 mask and have jsut 1 Public IP address, and certain
 PK> "work-arounds" are handled by the ISP to allow things to work without
 PK> a separate Broadcast address and Network address.

I think it is the same here. With the cable that I have now, it is a bit
different. My router is configured to get its WAN address via DHCP. It shows a
subnet mask of 255.255.254.0. So it would seem I am part of a /23 subnet. But
the other users on that subnet are invisible to me. A ping to the acompanying
broadcast address gives no response.

Also, I suspect the ISP needs one more public address to serve me. I suspect
the cable modem has a public IPv4 address of its own. The modem has a web based
management interface that I can access it from my side at 192.168.100.1. ( User
admin, password motorola ). I can see things like frequencies and power levels,
but there is not much I can change. I suspect there is more, there must be
settings to enable/disable the second phone line and things like that. Also it
must be accessible from the WAN side. When I talked to the help desk some day,
the employee said: I will have a look at the modem.... hmmm. looks all right...
So the modem is accesible from the WAN side. It can not be at the same address
as the router, because the router only gets an address when it is switched on.


Cheers, Michiel

--- GoldED+/W32-MINGW 1.1.5-b20070503
 * Origin: http://www.vlist.org (2:280/5555)