Double NAT

[RMerlin]

Against casual attackers, NAT acts as a firewall with a "default deny" policy for inbound connections and "default permit" for outbound connections. So you can use this setup by placing a second router in your network for, for example, wireless guest access.

This is a very specific scenario (one which I actually use for one of my customers). His claim seem to be more general, as to the fact that having two layers of NAT would somehow improve security. I can't see any reason why it would, it would only create a lot of headaches with applications that are already struggling to work properly through a single layer of NAT.

 

[RMerlin]

Chech out the "Three dumb router" episode ( fast forward past the halfway point). First he covers the original configuration ( 2 routers) from about 10 years ago)...secured section behind first router, IOT items behind second router.

Second he walks through his updated 2 router configure ( secure stuff behind second router).

Third, he retracts the 2 router from a couple of weeks ago and adovacates a three router set up where tourers 2 & 3 are in a "Y" configuration...#2 for secure stuff ( PC etc.) and #3 for IOT ( or items that are more susceptible to being hacked).

The key being these routers are dumb ( cheep ) and you can afford to do it. He mentions that you could do this with more expensive equipment that had more bells and whistles.

This is way too complicated. One single router with properly configured VLANs would take care of segmenting your network - if you so badly needed to do so. The vast majority of home users don't. An Asus router with a guest wifi network configured would take care of isolating your guests from the rest of your LAN.

 

[Nullity]

Would I be right in thinking Brian Krebs and Bruce Schneier are 2 of them? Any others?

l do follow Bruce Schneier with enthusiasm, and Kreb's blog definitely is a fun read.

but... are you asking me who I follow (honestly, I am not someone to emulate), or are you saying those two have mentioned Steve?


Edit: I didn't mean for my post to be as moody as I think it appears...

 

[martinr]

l do follow Bruce Schneier with enthusiasm, and Kreb's blog definitely is a fun read.

but... are you asking me who I follow (honestly, I am not someone to emulate), or are you saying those two have mentioned Steve?


Edit: I didn't mean for my post to be as moody as I think it appears...

Oh, no; I doubt they'd be mentioning Steve Gibson unless they too were advocating proven cures for insomnia. No, I was keen to know if there were people other than Brian Krebs and Bruce Schneier also worth following.

Moody? Doesn't come across to me as moody at all.

 

[Nullity]

Oh, no; I doubt they'd be mentioning Steve Gibson unless they too were advocating proven cures for insomnia. No, I was keen to know if there were people other than Brian Krebs and Bruce Schneier also worth following.

Moody? Doesn't come across to me as moody at all.

Like I said, I am only pretending to be someone of worth.

Those who(m?) I follow: RMerlin, sinshiva, geohot, hackernews, ccc, phrack, 2l8:efnet, anyone/everyone better than me, Google TechTalks, I dunno. There are tons more...

Schneier is my favorite. He blends the two different worlds of science & philosophy very well. The user, by far, is the biggest threat to security... is there any hotfix for that?


Who do you follow?

 

[TNT555]

Double nat, the only possible reason for it being necessary is if you have an isp like Sky broadband in the UK and you really want to stick to the terms of your contract which forbid you from connecting using any other non sky router (say asus merlin even though with the right credentials asus merlin works anyway) while using your own router. In a case like BT, just being too dammed lazy or cheap to replace an isp router without a modem/ bridge mode.

 

[martinr]

Like I said, I am only pretending to be someone of worth.

Those who(m?) I follow: RMerlin, sinshiva, geohot, hackernews, ccc, phrack, 2l8:efnet, anyone/everyone better than me, Google TechTalks, I dunno. There are tons more...

Schneier is my favorite. He blends the two different worlds of science & philosophy very well. The user, by far, is the biggest threat to security... is there any hotfix for that?


Who do you follow?

Pretending to be someone of worth or not, having follwed your postings for quite some time, I value your opinion. So thank you for that list.

I only follow Krebs and Schneier by their email newsletters, so I shall be looking with interest into your list. I used to listen to Steve Gibson weekly but enough said on that topic.

Many thanks.

PS yes, "whom"

 

[eddiez]

This is a very specific scenario (one which I actually use for one of my customers). His claim seem to be more general, as to the fact that having two layers of NAT would somehow improve security. I can't see any reason why it would, it would only create a lot of headaches with applications that are already struggling to work properly through a single layer of NAT.

Agree

 

[martinr]

[QUOTE="Nullity, post: 240154, member: 30149
.......
Who do you follow?[/QUOTE]

How stupid of me: I forgot to mention the person I probably follow most. He's a passionate Apple app developer, and one of his apps, Network Toolbox, has helped me learn a great deal and continues to do so. Apart from which, it's probably the app I use most - a real "Swiss army knife" for networks. His blog is at http://networktoolbox.de/blog/ but the news items also appear in the app - it updates its data when you open it.

His name is Marcus Roskosch http://roskosch.de/marcus-roskosch/ and I'm not ashamed to promote his work: he's been incredibly generous, never failing to answer my naiive questions in detail and with great patience. He doen't post as often as Brian Krebs, but when he does it's definitely well worth reading.

 

[Nullity]

How stupid of me: I forgot to mention the person I probably follow most. He's a passionate Apple app developer, and one of his apps, Network Toolbox, has helped me learn a great deal and continues to do so. Apart from which, it's probably the app I use most - a real "Swiss army knife" for networks. His blog is at http://networktoolbox.de/blog/ but the news items also appear in the app - it updates its data when you open it.

His name is Marcus Roskosch http://roskosch.de/marcus-roskosch/ and I'm not ashamed to promote his work: he's been incredibly generous, never failing to answer my naiive questions in detail and with great patience. He doen't post as often as Brian Krebs, but when he does it's definitely well worth reading.

I forgot to mention devttyS0, a security group that focuses on embedded security. They have released very cool tools like binwalk and Firmware Mod Kit. Heh, I have trouble fully understanding most of their posts, but I they share a lot of info/tools that cannot be found elsewhere.

 

[jegesq]

While already mentioned in this thread, in all fairness to Gibson, the page from GRC.com regarding double-nat that was posted upthread is really old, and doesn't really properly explain what Gibson was recently proposing regarding running three routers, i.e., a single "dumb" router, and creating separate LANS by hanging two additional routers off the first one; his reasoning is that for the average home consumer, it's far easier just to create two separate LANS using simple routers than it is to configure Vlans. An earlier thread last week discussed what Gibson proposes in greater detail (See http://www.snbforums.com/threads/ro...ts-from-accessing-first-router-clients.30049/). Gibson's entire concept is to make it simpler and safer for folks to run IOT devices in their homes without worrying about some malicious device having access to more sensitive areas of the home network.

Gibson may not be considered a security "expert" to many/most here, but his credentials in the field of data encryption are pretty solid. His main problem is that he seems to live in a world that time forgot, insisting on running nothing newer than Windows XP, and most of his podcasts spend tons of time on subjects that probably only would be of interest to a few sysadmins. Still, he's a lot more accessible and easier to listen to (at least for me) than someone like, say Alan Jude on TechSnap. I guess you've gotta be Canadian to really appreciate Jude...that, or a big FreeBSD fan.

 

[jegesq]

This is a very specific scenario (one which I actually use for one of my customers). His claim seem to be more general, as to the fact that having two layers of NAT would somehow improve security. I can't see any reason why it would, it would only create a lot of headaches with applications that are already struggling to work properly through a single layer of NAT.

I'm sort of curious about the statement that there are apps that have trouble or which "are already struggling to work properly through a single layer of NAT."

I may be the outlier here, but I have never experienced any app that has had any difficulty or struggled to work properly with a single layer of NAT. What sorts of apps did you have in mind when you wrote that?

 

[RMerlin]

I'm sort of curious about the statement that there are apps that have trouble or which "are already struggling to work properly through a single layer of NAT."

I may be the outlier here, but I have never experienced any app that has had any difficulty or struggled to work properly with a single layer of NAT. What sorts of apps did you have in mind when you wrote that?

FTP servers without passive mode support, typically requires a NAT helper (there's a netfilter helper for that). Some SIP devices might also have trouble dealing with that without specific NAT support on the client side, or another NAT helper on the gateway.

 

[Authority]

This is way too complicated. One single router with properly configured VLANs would take care of segmenting your network - if you so badly needed to do so. The vast majority of home users don't. An Asus router with a guest wifi network configured would take care of isolating your guests from the rest of your LAN.

I think the average user would find plugging in a couple routers in series easier to understand than configuring a VLAN.