On 12/3/2020 7:11 AM, Joe Touch wrote:
N
On Dec 2, 2020, at 11:50 PM, Christian Huitema <huitema@xxxxxxxxxxx> wrote:
On 12/2/2020 11:22 PM, Joe Touch wrote:
On Dec 2, 2020, at 10:47 PM, Christian Huitema <huitema@xxxxxxxxxxx> wrote:
Mark, you had me until "home network". Because most home networks are in fact *not* more secure than the open Internet
Not that I like NATs, but they do afford protection beyond being on the open Internet simply by lacking incoming port mapping.
That's the firewall illusion. It is shattered if someone inside the wall falls for a phishing attack, or clicks on the wrong attachment, or downloads the wrong program. At which point all these unsafe programs that are used "only behind the firewall" become nice avenues for quickly spreading the attack much farther than the initial failure. See numerous examples of ransomware attacks against small businesses, schools, etc.
-- Christian Huitema
Sure, but you have to attack the machines behind a firewall some other way *first*.
I didn’t say they were safe, just safe*er*.
I understand why you say that. Machines behind a NAT or a stateful
firewall cannot be remotely probed for low level vulnerabilities, so you
do get some reduction of the attack surface. My contention is that this
reduction is far from being sufficient, because attackers have found
many ways to project themselves through NATs or firewalls. If you allow
for unsafe practices because the machines are behind a NAT or a
firewall, these unsafe practices will result in catastrophic cascades of
failures after a single breach happens.
-- Christian Huitema