NAT has side effects that prevent exploits from outside.

BS. You are making the mistake of trusting your router.

 

BS. You are making the mistake of trusting your router.

I am not trusting anything. I am describing the behavior of NAT.

This is pretty silly. I’m out to leave this to the “experts”.

 

If an XP machine is connected to the Internet via NAT and it does not make connections to the outside itself, nothing outside will be able to make connections to it. That’s not “security”, it’s just a fact

I almost agree with that statement.
My earlier post was to help anyone reading this thread not confuse NAT with security.

eT

 

I need to bow out of this thread to avoid heartburn but I will leave with this:

NAT is not a security tool. It incidentally prevents simple-minded attacks like scripted port scans from being effective on machines behind the router providing it.

XP is a completely insecure operating system. Almost any use of it on the Internet makes it vulnerable to compromise. Extremely careful use, and some luck, might keep it safe for a while, but using it as an Internet connected operating system is extremely ill advised.

I think I was the first person to mention this in the thread, and that we had an extensive program to protect our network from these machines. I know precisely what NAT is and does, and I can tell you it will not prevent compromise except in the narrow way I actually specified.

That’s it for me.

 

I am describing the behavior of NAT.

NAT doesn't exist in a vacuum. Mapping and translations must occur on a device connected to the outside (the router) and that device likely has other (and many unknown) services running on it.

The router "knows" everything about all the devices attached to your LAN, and can talk to them any way it wants. Exploit the router, and any machine on the LAN is vulnerable.

 

I'm adding this link just to complete my thoughts.

 

Holy crap joeyd999, I am going to have to get off the Internet.

I had no idea of the router situation. But then most of life totally escapes me.


Regards, Dana.

 

Holy crap joeyd999, I am going to have to get off the Internet.

I had no idea of the router situation. But then most of life totally escapes me.


Regards, Dana.

This is why I like to build my own routers. I can decide which ports are exposed to the internet, which services are run, and what kind of traffic is allowed on my LAN. I can also watch the kind of traffic trying to get into my network, and make specific adjustments as necessary.

BTW, IPv6 is -- in some ways -- worse than NAT'd IPv4. Your local IPv6-enabled devices are usually assigned global addresses via your ISP, and may be addressable even though they are behind the router. There is usually a setting on the router to prevent incoming IPv6 from establishing a connection to your local devices. Make sure it is set.

 

joeyd999, what router models/manufacturers are you aligned with ?

Regards, Dana.

 

joeyd999, what router models/manufacturers are you aligned with ?

Regards, Dana.

Aligned? I'm not aligned with anyone.

 

Hello,

Also the support of windows 7 will stop soon:
Windows 7 support will end on January 14, 2020
https://support.microsoft.com/en-us/help/4057281

Bertus

 

joeyd999, what router models/manufacturers are you aligned with ?

Joey, I was curious what manufacturers router models are you using.


Regards, Dana.

 

Joey, I was curious what manufacturers router models are you using.


Regards, Dana.

Don’t tell em Joey... it a setup!

 

Joey, I was curious what manufacturers router models are you using.

First, on my desktops I use Linux. I ain't afraid of the Big Bad Wolf. That's a Windows problem.

So, at home, I have no problem using my extremely annoying Comcast cable modem that doesn't even know how to map global to local IPs with different port numbers. They'll happily accept money in exchange for allowing me to do this, those bastards. Since they also provide my telephone service through the same box, I am left with little choice (again, unless I want to shell out cash).

For mission critical stuff, I roll my own routers using cheap boxes running Linux (which natively already understands how to behave as a router) with multiple NICs.

 

First, on my desktops I use Linux. I ain't afraid of the Big Bad Wolf. That's a Windows problem.

So, at home, I have no problem using my extremely annoying Comcast cable modem that doesn't even know how to map global to local IPs with different port numbers. They'll happily accept money in exchange for allowing me to do this, those bastards. Since they also provide my telephone service through the same box, I am left with little choice (again, unless I want to shell out cash).

For mission critical stuff, I roll my own routers using cheap boxes running Linux (which natively already understands how to behave as a router) with multiple NICs.

I hated Comcast routers, kept elbowing me off my Airport so I returned it and purchased a router less Comcast box on Amazon. Now that Airports are no longer supported I will opt in for a replacement any suggestions?

I would say no more Comcast but my wife would pitch a fit if she doesn't have it.

kv

 

I hated Comcast routers, kept elbowing me off my Airport so I returned it and purchased a router less Comcast box on Amazon. Now that Airports are no longer supported I will opt in for a replacement any suggestions?

I would say no more Comcast but my wife would pitch a fit if she doesn't have it.

kv

I have no recommendations. Like I said, for mission critical -- and full or custom functionality -- I build my own routers.