Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
huslage 9 hours ago

NAT is not a security measure at all. It just obscures what's behind a firewall, but that is leaky and not reliable from a security perspective. It might make you feel better, but that is not security.

dlcarrier an hour ago | parent | next [-]

A firewall has nothing to filter, if nothing is routed to it. My IoT devices communicate with a server running in my network. As long as I am behind an IPv4 router, their communications to that server will never make it to the internet, and any communications from the internet have no way of addressing any device on my network. I literally can't add any security to a firewall because there's no communications to handle. Sure, I have personal computers on the same network, which aren't on a separate VLAN because I'm not familiar enough with my router to set that up, so a compromised PC could forward attacks to my IoT devices, but the firewall would be useless at that point.

If I have an IPv6 router, I can miss-configure it in a way where all of my internal communications between IoT devices work as expected, but they also have discoverable addresses on the internet. This would give the firewall something to do, but I'd rather there be no route in the first place.

Also, if I trusted myself to properly configure my router for IPv6, I would put all of my IoT equipment on ULAs, which much like an IPv4 NAT would leave me with nothing to configure in the firewall.

If I were to take your claims at face value, using GUAs with packet filtering is far more reliable and secure than ULAs, and that seems preposterous.

A properly configured firewall for sure adds security, but isolation always wins out.

pixl97 8 hours ago | parent | prev [-]

Yea, people consider NAT a firewall, but at best it stops direct connections from outside. People use this as a rationale to non secure individual devices on the network. Then the moment a single device on your network is compromised (do you really trust that Chinese IOT device?) every host that doesn't have its own firewall is at risk.

With IPv6 you at least say "Holy crap, anyone could connect to this, I better secure it from outside and inside attacks" which is how actual security works.