Monthly Archives: December 2007

Is a NAT a security device?

I’ve been working lately on a couple of IPv6-related projects. First, there’s a chapter for an upcoming book, and second, there’s the effort to make WFTPD and WFTPD Pro work on IPv6, since it’s enabled by default in Windows Vista and Windows Server 2008 [more on that in a future post].

A big argument to my mind, as an old-school Internet user, for enabling IPv6 is that every one of your hosts becomes a fully-fledged Internet participant, like it used to be with IPv4 back in the ’90s.

What do I mean by that?

I mean that every machine is reachable at its own address on every port that it chooses to open, rather than requiring someone to tinker with a NAT to open port mappings for specific applications.

IPv6 removes the need for a NAT at all.

Wow. To a security professional, that’s a shocking statement. It feels rather like saying that living in a tent removes the need for locks. How on earth do you protect your stuff without a NAT?

The answer is that a NAT was never intended to be a security device – it just happened, somewhat accidentally, that requiring address translation and port mapping to be statically configured created a security barrier.

Unfortunately, NATs also killed a lot of protocols (H.323 for webcams, FTP for file transfers – particularly when secured, IPsec) that quote IP addresses in their traffic.

To some extent this was fixed with ALGs – Application Layer Gateways – but never very satisfactorily (particularly in the case of secured FTP). What would be far better is to have a device that had the blocking advantages of a NAT, but didn’t require IP addresses and ports to be altered in transit.

There’s a name for such a device:

A firewall.

[Only if the firewall is configured by default to list all ports as “closed”. An open-by-default firewall is not a firewall, it’s a router.]

And a firewall is a far simpler program than a NAT (even if it’s in hardware, it’s the program’s simplicity that matters most). If it matches incoming traffic to ports that are opened, it allows that traffic in. If outgoing traffic occurs on a port that was closed, the firewall usually opens that port for the reverse traffic, so that clients on the inside of the firewall can get a response.

So, when the time comes that your network is required to transition to IPv6, don’t beg for an IPv6 NAT. I actually hope such a device doesn’t actually exist, and that nobody’s stupid enough to develop one. What you should insist on is an IPv6 firewall.

“But what about the problem that the layout of my network inside of the firewall will be revealed?” you might ask.

It won’t, because IPv6 addresses are sparsely allocated.

“How about machines that won’t ever need to be accessed by, or access out to, anything outside my company? What’s the IPv6 equivalent of an RFC 1918 address?”

No problem – there’s a standard for link-local and site-local (Unique Local Unicast, technically) addressing, which will never be routed outside of your site.

Any other reasons you’re clinging to the idea that a NAT is a security device?

Removing Apple Mobile Device Support

As mentioned before, I’m not a fan of Appple‘s, particularly because they tend to impose crap on me that I’m not interested in having.


I’ve been trying to figure out how to remove iTunes, iPod and Aple Mobile Device Support on and off now for the past month, since it was accidentally installed while trying to update to the latest safe version of QuickTime (which has since been patched again, and is therefore no longer the safe version of QuickTime – another reason why I wanted to revert to my original state before this month’s update). I am, of course, using Windows Vista, so there’s a good chance that Apple‘s technology hasn’t caught up with Vista.


iTunes and the iPod service seemed to go easily enough – Control Panel -> Programs and Features -> Select iTunes, and then press Uninstall.


I’m left, though, with the “Apple Mobile Device Support”, which is particularly insulting because I don’t have any Apple Mobile Devices, so there’s no reason why it should have ever installed in the first place.


Every time I tried to Uninstall, it would prompt me for elevation, and then apparently uninstall, although there’s no final dialog to say “Uninstalled – OK”.


But the icon and program name are still there in “Programs and Features”, and the service itself is still present.


I eventually spend a while watching the uninstall procedure, boring as it is to watch a progress bar that reads “11 seconds remaining” then “14 seconds remaining”, etc, as progress bars tend to do.


But then the progress bar does something magical – it goes backwards, and when it reaches zero, the uninstall program just quits.


Surprisingly enough, this is good news. It means that rather than the uninstall procedure hitting a random crash and bombing out, it detected an error.


Running EventVwr, I see:


Windows Installer removed the product. Product Name: Apple Mobile Device Support. Product Version: 1.1.2.23. Product Language: 1033. Removal success or error status: 1603.


Well, no, Windows Installer didn’t remove the product. To find out what error 1603 means, we can quickly run “net helpmsg 1603″, to find that it means:


C:\Program Files>net helpmsg 1603

Fatal error during installation.


Great. That, we already knew. So, it’s a generic failure message.


Searching around, I find first, that error 1603 occurs in so many other applications, and with so many causes, that it’s not going to help me much.


Apple’s support is no help – searching for “uninstall apple mobile device support” gives nothing helpful:


image


which is surprising since there is this page:


Removing iTunes, QuickTime, and other software components for Windows XP


Removing iTunes, QuickTime, and other software components for Windows Vista


I’m not sure I trust anything that tells me “run the uninstall program, and then go ahead and delete some of the directories it left around, but be careful not to delete other directories it left” – I’m paraphrasing here.


I’ll save Windows Installer logging for later, because quite by chance, I found out how to remove Apple Mobile Device Support from Windows Vista.


Instead of clicking “Uninstall”, click “Change”. You’re given the option to “Repair” or “Remove”.


Click “Remove”.


As counter-intuitive as it sounds, this appears to take you through a completely different uninstall procedure, which actually results in the removal of the Apple Mobile Device Support.


After all of this, of course, Apple’s Software Update once again pops up and begs me to update to QuickTime and iTunes + QuickTime.


image


And when iTunes + QuickTime is apparently a couple of versions ahead of QuickTime, and is selected by default, how many users are going to find themselves deceived into installing an unwanted iTunes?


Come on, Apple, an update takes existing software and advances it. Adding extra, unwanted, software isn’t part of the update. Stop offering iTunes + QuickTime as an “update” to QuickTime. Even if you think iTunes is a good thing, it’s not an “update”, it’s an “upgrade”, and should not be selected by default, nor should it be described as an update.


Update - Jesper Johansson has similar issues with Apple Mobile Device Support over at his blog. This time, he’s looking to remove an apparently broken version and install a working one.

Microsoft Support Switches to Live Search

Worst. Search. Ever.

In the spirit of the famous review of Spinal Tap’s album “Shark Sandwich”, I was tempted to post a two-word review,the first word of which is “Advanced”.

My three-word review, then – “Worst. Search. Ever”.

But, just in case you didn’t get the hint, here is the explanation:

How on earth is this an “Advanced Search”? Because I can tell it I want to limit my search to the KB, all of Microsoft, or all of the Internet? If those are the only options I care to use, I can go to Google.

I come to the support page – particularly the Advanced Search – so that I can select what product I’m looking for an answer on, and then type my search query. Sometimes, when I’m searching for an article I know I’ve seen before, I’ll search just in the title. Here’s how the site looked in June 2007, according to the Wayback Machine:

Wayback - way better

Microsoft, I know you want us all to use http://search.live.com, which seems to be a good search engine (though harder to type than google.com), but by associating the name with a substandard search on your support web site, I think you will have achieved the opposite effect.

I’d rather associate search.live.com with the fantastic http://maps.live.com – with 3d that really is 3d – or with Windows Live Writer, which provides me with an excellent blogging environment – or with Windows Live Messenger, which is useful if you can ignore the adverts.

In fact, there are many features of search.live.com to love – the image search, which presents an infinitely-scrollable plane of picture results, or the video search, with previews of the videos.

But don’t turn the utility of a support-friendly search into the futility of a flat search. When it comes down to it, and perhaps being a little hostile, I can Google Microsoft’s Knowledge Base just as easily from Google as I can from http://support.microsoft.com.

A specialised search location requires the use of specialised knowledge to make the search more … special. If you use a special tool or special interface to do that, you aren’t implying that your general search tool is bad.