This post was prompted by a post at Andy’s blog, where he complains about the lack of NAT’s and firewalls in cable modems. My opinion about it: NATs are not a security measure. VPNs aren’t either. And IPv6 isn’t inherently insecure just because it has the potential to give end-to-end connectivity to all hosts. These technologies are considered
security products because they provide a little bit of security by obscurity. For example if you are behind a NAT many traditional backdoors, which rely on opening a port and listening there for a connection from
the master, will fail. But then again, all the bots which use IRC will work without problems, all the spyware which uses HTTP or HTTPS to send out the harvested information will work, etc. I admit that I was a little scared when I connected my parents computer
to the Internet directly, whit a real IP using a cable modem. But then I thought about it: is my el-cheapo router running some ancient version of the Linux kernel more secure? At least on my parents box I know that I turned automatic updates on, but I really don’t have any easy way to update my router! If you wish to secure your clients by not allowing inbound connections, just put a firewall rule on your router. But I bet you that the clients will be very unhappy when their BitTorrent speed drops dramatically because of this :-D. And when you worry that IPv6 exposes all of your hosts to attacks: again, just put a firewall rule which drops all inbound TCP connections.
As a side-note: one thing I support whole-heartedly is IPSs filtering outbound STMP connections. Can we have a little more of that, please! And if you worry that some of your clients may need it, create a webpage for them, where they can add the servers they wish to connect to using SMTP. No authentication needed for the page, just make sure that it’s accessible only from your clients IP range and somebody coming from a given IP can set the rules only for that IP. Of course a CAPTCHA is also advisable, because otherwise the IP can be easily white-listed just by embedding a specially crafted HTML in one of the pages you view. So, ISPs, please filter port 25!