Odd Question, Wifi

[Bill Davidsen]

Dave Ihnat wrote:

>> To a large degree, a Windows box is protected from the internet by
>> NAT in the router, ...
>
> NAT is not a security protection.  At best it's obfuscation.  And if
> someone comes into a LAN via it's WAP, they're on the _inside_, so NAT
> doesn't apply, and they're behind the router border firewall (if any).
>
NAT is as effective as the firewall makes it. Use of internal non-routable 
subnets prevents outsiders from just pushing packets into possibly minimally 
protected internal machines. A decent firewall will not NAT any connection which 
is not ESTABLISHED (in the iptables sense), so outsiders can't just initiate 
connect to a machine from the outside. This provides some level of protection.

Connections to an AP are typically coming in directly on the LAN, so there is 
less protection other than the built-in protections in the AP itself. A decent 
AP will allow authentication requiring not only password but MAC address as 
well. None of this is unbreakable, but security is a process, and onion, not a 
boolean. Having the AP hang off the firewall machine is another layer, and if 
the firewall only responds the VPN setup and drops all else you can build a 
pretty hardened setup. Works for me using Linux laptops, not sure how VPN happy 
my Android phone would be.

Of course IPv6 may shoot all of this, with every machine having its own IP, no 
NAT needed, it becomes more important that each machine have its own firewall 
set, and dedicated net facing firewall machines will need to be *much* smarter.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot