
On 08/30/2018 11:31 AM, D. Hugh Redelmeier via talk wrote:
| From: James Knott via talk <talk@gtalug.org>
| On 08/30/2018 06:11 AM, o1bigtenor via talk wrote: | > I have ping disabled directly on my router so none of the machines | > behind it can be accessed from outside. | | How does disabling ping on a router prevent access to what's behind it? | Ping has nothing to do with routing.
1) OP's question was asking about a solution without stating a real problem that needed solving. (See 2).
People often do that and wind up creating problems trying to fix the one that doesn't exist.
2) almost everyone's LAN is behind NAT so pings from the outside world cannot even address LAN nodes. In other words, no problem exists. Not anymore. In fact there have long been LANs that aren't behind NAT. Any network that has a lot of public servers would be one example. Also, back in the late 90s, when I was at IBM, on Steeles, the entire LAN had public addresses (mine was 9.29.146.147), as those networks were set up before NAT became necessary to get around the IPv4 address shortage.
Also, IPv6 is now being used by many and NAT is discouraged on it. This means that, for example, Rogers customers will have public IPv6 addresses. However, given that they have a minimum of 18.4 billion, billion addresses to choose from, they're a bit harder to find.
Many people do think that depending solely on a firewall for network security is a bad model. "Crunchy on the outside, soft on the inside." Every node should be hardened. But what are you going to do to harden you IoT devices (light bulbs, fridges, settop boxes, thermostats, watches, ....)?
Also, relying on NAT for security is a bad idea. It does nothing that a properly configured firewall can't do.