Posted by: Anonymous Coward
on January 27, 2004 06:44 AM
Yes, I know. But the whole purpose of NAT is to hide the private network. M$ software is always going to be full of security holes, no matter what public face they want place on it. Even today, after all this time and anti-virus products out there, MS-Blaster is still causing major problems for ISPs. So much so, that the ISPs forced M$ to issue a tool to remove it. When you look at these machines, you will see that most of these machines are publicly addressable on the Internet. These types of viruses spread by accessing publicly available machines on the Internet. NATs hide these machines and are much less susceptable to these security problems. I am a computer consultant and out of 45 clients, only 1 has had virus/spyware problems within the last year.
Let's face it, there is no application for a business environment that needs to have a machine directly accessing the Internet or needing IPV6. Today's NAT devices have become quite good and are relatively cheap.
Let's look at them:
FTP: This is a total bogus boogeyman. Even the most basic NAT device handles this protocol with ease.
VPN: For under $200US you can buy NAT devices that handle VPN with ease. I actually use these (Netgear makes a couple of good models on the low end) to connect construction trailers to the corporate office. They offer both 3DES and IPSec encryption. This is server-server VPN access. They also provide client-server VPN passthru access. I have 1 client in which I have connected over 30 trailers to the corporate office in this manner. The trailer computers see all of the servers at the main office with ease. This is a cheap and efficient solution.
Video Conferencing: This one is a bit more problematic, but has been easily solved. The better NAT devices have H.323 support already turned on. This solution is good for the low end. Other solutions, like Intel, have applets that figure out the dynamic address and reconfigure automatically. Again, IPV4 solution works, and is cheap enough.
Email: SMTP/POP etc. In a personal setting, NAT devices handle this easily. In a corporate setting, all email should go through a central server. Spam/virus filtering is a necessity. Also, email needs to be properly logged and archived. In many industries, regulations impose fines if this is not done. Also, the protection of trade secrets and proprietary information is a must in today's global market. No employee should ever be allowed to access outside SMTP servers. The risks/fines are too great.
Media Again, NAT devices handle these protocols with ease. More than one machine can have Real Player or MS Media Player playing music and video simultaniously. In a business setting, many limit use of these protocols, in order to preserve bandwidth or to avoid legal issues with RIAA/MPA etc.
groupware/IM etc. A corporation should set up their own IM server. They should not rely on AOL, MSN, Yahoo etc. These networks are totally insecure, and much sensitive business information can be passed on. All of these networks have serious security problems that they've known for a long time and have not bothered to fix them. Corporate spying is quite common. Many European countries (especially the French) use corporate spying as a way to get a competitive advantage. On one occassion, one of my clients, detected this kind of intrusion and was able to feed false info, resulting in my client getting the upper hand in a negotiation.
At this time, there really is no IPV6 killer application that would cause one to say "Hey.. I got to have that". There is no reason to incur the overhaul expenses to IPV6 in order to satisfy a few "purists". The benefits of IPV6 are few and at this time do not warrent the expense. When applications that really take advantage of IPV6, (like its QOS abilities) then maybe it may be worthwhile. But for now, I'm recommending to all of my clients to stay with IPV4+NAT.
Learn about Linux
Download Linux
Get Linux help
Re:NAT is a necessity in today's Internet
Posted by: Anonymous Coward on January 27, 2004 06:44 AMBut the whole purpose of NAT is to hide the private network. M$ software is always going to be full of security holes, no matter what public face they want place on it. Even today, after all this time and anti-virus products out there, MS-Blaster is still causing major problems for ISPs. So much so, that the ISPs forced M$ to issue a tool to remove it. When you look at these machines, you will see that most of these machines are publicly addressable on the Internet. These types of viruses spread by accessing publicly available machines on the Internet. NATs hide these machines and are much less susceptable to these security problems. I am a computer consultant and out of 45 clients, only 1 has had virus/spyware problems within the last year.
Let's face it, there is no application for a business environment that needs to have a machine directly accessing the Internet or needing IPV6. Today's NAT devices have become quite good and are relatively cheap.
Let's look at them:
FTP:
This is a total bogus boogeyman. Even the most basic NAT device handles this protocol with ease.
VPN:
For under $200US you can buy NAT devices that handle VPN with ease. I actually use these (Netgear makes a couple of good models on the low end) to connect construction trailers to the corporate office. They offer both 3DES and IPSec encryption. This is server-server VPN access. They also provide client-server VPN passthru access. I have 1 client in which I have connected over 30 trailers to the corporate office in this manner. The trailer computers see all of the servers at the main office with ease. This is a cheap and efficient solution.
Video Conferencing:
This one is a bit more problematic, but has been easily solved. The better NAT devices have H.323 support already turned on. This solution is good for the low end. Other solutions, like Intel, have applets that figure out the dynamic address and reconfigure automatically. Again, IPV4 solution works, and is cheap enough.
Email: SMTP/POP etc.
In a personal setting, NAT devices handle this easily. In a corporate setting, all email should go through a central server. Spam/virus filtering is a necessity. Also, email needs to be properly logged and archived. In many industries, regulations impose fines if this is not done. Also, the protection of trade secrets and proprietary information is a must in today's global market. No employee should ever be allowed to access outside SMTP servers. The risks/fines are too great.
Media
Again, NAT devices handle these protocols with ease. More than one machine can have Real Player or MS Media Player playing music and video simultaniously. In a business setting, many limit use of these protocols, in order to preserve bandwidth or to avoid legal issues with RIAA/MPA etc.
groupware/IM etc.
A corporation should set up their own IM server. They should not rely on AOL, MSN, Yahoo etc. These networks are totally insecure, and much sensitive business information can be passed on. All of these networks have serious security problems that they've known for a long time and have not bothered to fix them. Corporate spying is quite common. Many European countries (especially the French) use corporate spying as a way to get a competitive advantage. On one occassion, one of my clients, detected this kind of intrusion and was able to feed false info, resulting in my client getting the upper hand in a negotiation.
At this time, there really is no IPV6 killer application that would cause one to say "Hey.. I got to have that". There is no reason to incur the overhaul expenses to IPV6 in order to satisfy a few "purists". The benefits of IPV6 are few and at this time do not warrent the expense. When applications that really take advantage of IPV6, (like its QOS abilities) then maybe it may be worthwhile. But for now, I'm recommending to all of my clients to stay with IPV4+NAT.
#