Double NAT

[Authority]

Security "expert" Steve Gibson has been on TWiT podcast with Leo Laporte advocating dual NAT networks as providing greater security.

Any opinions or experiences?

 

[RMerlin]

Security "expert" Steve Gibson has been on TWiT podcast with Leo Laporte advocating dual NAT networks as providing greater security.

Any opinions or experiences?

I don't see how double NAT might improve security in any way.

 

[Authority]

I don't see how double NAT might improve security in any way.

Me nethier. He kind of explains it here:

https://www.grc.com/nat/nats.htm

I'm confused because he's supposed to be a pretty big deal, so I thought I'd get your take.

 

[martinr]

Security "expert" Steve Gibson has been on TWiT podcast with Leo Laporte advocating dual NAT networks as providing greater security.

Any opinions or experiences?

So those two are still wittering away, are they? I can vouch for Steve's expertise in one area at least: curing insomnia. Did Steve at least explain the reasoning behind his statement about double NAT? (If they still publish the transcripts, you could extract the relevant part, assuming it is intelligible.)

 

[eddiez]

I don't see how double NAT might improve security in any way.

Against casual attackers, NAT acts as a firewall with a "default deny" policy for inbound connections and "default permit" for outbound connections. So you can use this setup by placing a second router in your network for, for example, wireless guest access.

 

[mstombs]

Steve Gibson has never liked upnp, double nat without DMZ breaks it nicely!

 

[Cake]

I have not read the article, but I thought the same thing as those guys. If your isp can control the edge device and flash firmware on it, I want to be double NAT'd with my own nat.
My isp can ssh into their device on my roof from the internet to change settings any time they want, what if if the isp gets compromised and the list of or a rouge employee ...

 

[pete y testing]

Me nethier. He kind of explains it here:

https://www.grc.com/nat/nats.htm

Dec 12, 2005 at 09:17 (3,723.23 days ago)

as you can see he has been dithering on about this for years along with many of the other chicken little ( sky is falling ) theories

If your isp can control the edge device and flash firmware on it, I want to be double NAT'd with my own nat.

if that was the case i would change isp's or use a different router that didnt provide a back door for tech support

in most cases ppl who use dual nat then go on and punch a whole through both nats trying to get their ps4 to not have strict nat and defeats the reason for it in the first place

 

[Cake]

Its my only option unless I want to go back to the days of tethering my phone to my router.
I can't use my own system (AC68U), its a ubiquity m5 on the roof. I would be crazy to just use that and put a dumb switch behind it, hence I use the ac68u behind the M5. I should add the isp flashed their customized version of the software to it (branded).
I can tell you the GUI on the edge device can also be accessed over the Internet too. I have the password by pure luck, however most settings are greyed out.

This is just a example though, You can't trust any ISP, or trust that their data is secure.
There are some ISP's in the States I heard that log into your edge device (modem/adsl box), and open a guest wifi to sell wifi access to people nearby, or I heard along time ago about a secret room with secret equipment installed at a major telcom company a long time ago that has been proven to be true only recently. hmmmm
I'm not familiar with ps4, I had to punch a hole for openvpn server on my router. I think if done correctly it would be fine, not the dmz way though.

EDIT:
I wanted to add how great having openvpn server running on the router can be. If you disable upnp, wan access to ssh, and router's access wan to gui, and anything else and just open 1 port on the ISP's device to the openvpn server on your router- you would have access to it all! No need to have 10 port forwards because you would be inside you lan after connecting from the Internet. Its the best way IMHO if you need to access ssh, or router GUI from outside (Internet).

 

[4WORX]

Security "expert" Steve Gibson has been on TWiT podcast with Leo Laporte advocating dual NAT networks as providing greater security.

Any opinions or experiences?

Chech out the "Three dumb router" episode ( fast forward past the halfway point). First he covers the original configuration ( 2 routers) from about 10 years ago)...secured section behind first router, IOT items behind second router.

Second he walks through his updated 2 router configure ( secure stuff behind second router).

Third, he retracts the 2 router from a couple of weeks ago and adovacates a three router set up where tourers 2 & 3 are in a "Y" configuration...#2 for secure stuff ( PC etc.) and #3 for IOT ( or items that are more susceptible to being hacked).

The key being these routers are dumb ( cheep ) and you can afford to do it. He mentions that you could do this with more expensive equipment that had more bells and whistles.

 

[Hawk]

Its my only option unless I want to go back to the days of tethering my phone to my router.
I can't use my own system (AC68U), its a ubiquity m5 on the roof. I would be crazy to just use that and put a dumb switch behind it, hence I use the ac68u behind the M5. I should add the isp flashed their customized version of the software to it (branded).
I can tell you the GUI on the edge device can also be accessed over the Internet too. I have the password by pure luck, however most settings are greyed out.

This is just a example though, You can't trust any ISP, or trust that their data is secure.
There are some ISP's in the States I heard that log into your edge device (modem/adsl box), and open a guest wifi to sell wifi access to people nearby, or I heard along time ago about a secret room with secret equipment installed at a major telcom company a long time ago that has been proven to be true only recently. hmmmm
I'm not familiar with ps4, I had to punch a hole for openvpn server on my router. I think if done correctly it would be fine, not the dmz way though.

EDIT:
I wanted to add how great having openvpn server running on the router can be. If you disable upnp, wan access to ssh, and router's access wan to gui, and anything else and just open 1 port on the ISP's device to the openvpn server on your router- you would have access to it all! No need to have 10 port forwards because you would be inside you lan after connecting from the Internet. Its the best way IMHO if you need to access ssh, or router GUI from outside (Internet).

Putting your router beside ISP is IMHO is best practice. Stop ISP in your network, though don't support dual NAT.

 

[Cake]

I watched,
I liked the part about arp table spoofing. I was wondering about this a while back, I was going to try connecting to guest wifi with Access Intranet set to off, and see if I can watch packets from other devices on my lan but never got around to it.

example: Plug in your device to guest network, start arp table spoofing, and basically it will say "hey I am the new router in town, all devices you talk to me first then I send packets onward to the real router"

I am hoping the guest network has its own arp table somehow for Asus.
I think what Mr. Gibson is explaining is to have the questionable IOT/Guest networks in the middle router.

 

[Nullity]

Entertaining & educating are vastly different things.

As an entertainer, I respect Leo, especially from a "entertainer trying to educate" perspective. He is not (nor is Steve), a highly respected security expert though.



I may be very wrong with the following, highly subjective & unfounded statement, but if you want quality information, get away from YouTube & Podcasts. Open (or listen to) a well-researched book.

 

[Nullity]

...

I'm confused because he's supposed to be a pretty big deal, so I thought I'd get your take.

I was unaware of Steve until I found SmallNetBuilder Forums.

What sites/links/people have you seen that cite Steve as a respectable source of (security) information?

 

[Cake]

I just put a arpspoof tool on my android phone called wifikill 2.1 (you need a rooted phone).
I am surprised, on my guest wifi network it could not see any other devices, when I connected to my normal wifi- I could see all devices, traffic, and turn on/off.

I think Asus did a good job then separating guest wifi from devices on your lan.

 

[Cake]

I was unaware of Steve until I found SmallNetBuilder Forums.

What sites/links/people have you seen that cite Steve as a respectable source of (security) information?

Did he say anything misleading?
He reminds me of my uncle, I wouldn't mind having a gin tonic with him, and discussing technology. He looks like a gin guy!
I thought he did good considering it look improv to me.

 

[Nullity]

Did he say anything misleading?
He reminds me of my uncle, I wouldn't mind having a gin tonic with him, and discussing technology. He looks like a gin guy!
I thought he did good considering it look improv to me.

I think his understanding of password security is flawed.

but I do not actively follow him, so I do not know enough about him to criticize. I know that none of the security people I follow have ever mentioned him...

 

[martinr]

There was an episode several years ago on cascading routers etc and mentioned on a page about tips and tricks with routers:

https://www.grc.com/nat/nat.htm

(Different page to the one linked above.)

 

[martinr]

..... I know that none of the security people I follow have ever mentioned him...

Would I be right in thinking Brian Krebs and Bruce Schneier are 2 of them? Any others?

 

[RMerlin]

I'm confused because he's supposed to be a pretty big deal

This is relative. I, for one, ain't a big fan of his views... He often sound more like a sensationalist blogger than an actual security expert IMHO.