Dave Ihnat wrote:
To a large degree, a Windows box is protected from the internet by
NAT in the router, ...
NAT is not a security protection. At best it's obfuscation. And if
someone comes into a LAN via it's WAP, they're on the _inside_, so NAT
doesn't apply, and they're behind the router border firewall (if any).
NAT is as effective as the firewall makes it. Use of internal non-routable
subnets prevents outsiders from just pushing packets into possibly minimally
protected internal machines. A decent firewall will not NAT any connection which
is not ESTABLISHED (in the iptables sense), so outsiders can't just initiate
connect to a machine from the outside. This provides some level of protection.
Connections to an AP are typically coming in directly on the LAN, so there is
less protection other than the built-in protections in the AP itself. A decent
AP will allow authentication requiring not only password but MAC address as
well. None of this is unbreakable, but security is a process, and onion, not a
boolean. Having the AP hang off the firewall machine is another layer, and if
the firewall only responds the VPN setup and drops all else you can build a
pretty hardened setup. Works for me using Linux laptops, not sure how VPN happy
my Android phone would be.
Of course IPv6 may shoot all of this, with every machine having its own IP, no
NAT needed, it becomes more important that each machine have its own firewall
set, and dedicated net facing firewall machines will need to be *much* smarter.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
