undefined | Better HN

0 pointslelag4y ago0 comments

It is also a massive security liability as any vulnerable software running on the Switch could be used to compromise the console remotely and by extension compromise your home network since your Switch is likely connected directly on it.

0 comments

AshamedCaptain4y ago

No, it is not. NAT is not a firewall; its goal is to let traffic through, not prevent it. The fact that it sometimes happens to behave like a firewall is very dangerous since it leads people into a false sense of security.

I have early 2000s routers that would basically forward all UDP traffic from $IP to the last computer that had sent any traffic to $IP. This did wonders for most games, but you were in for a nasty surprise if you were relying on NAT to protect your fragile Win9x network...

lelagOP4y ago

If you follow Nintendo steps, what happens is that anybody will hit your Switch directly if they connect to any port on your public IP. If some services on the Switch are running and listening on the Switch public interface, they will answer. If one of the those service has a security vulnerability, you are in trouble. You just don't want to expose your entertainment devices to the whole world like this.

This setup could make some sense for a DMZ but not a gaming console connected to your local lan.

AshamedCaptain4y ago

This is exactly why I say that NAT gives a false sense of security.

The point is that even without manual port forwarding your Switch is _already_ exposed to the public internet. You can't assume that NAT is going to forever hide your device from the public internet because the role of NAT is to pass traffic, not prevent it. The example I mentioned is to show that NAT's heuristics may end up exposing your device anyway, manual port forwarding or not. So if you really run a device with vulnerable services, you either add a real firewall or disable NAT.

If the Switch had any vulnerable ports, they were exposed already long ago. Not to mention: IPv6 networks, public Wi-Fi hotspots, etc.

1 more reply

syshum4y ago

Security is an Onion, built on layers.

Should NAT be the only layer, no. But I absolutely can be a layer, just like obfuscation can be a layer.

for example Changing ssh port from 22 to something else is not "security" per say, but it can prevent drive buys and general non-targeted events.

Ekaros4y ago

Also it would be really nice bot network...

donkarma4y ago

consoles are one of the most secure systems due to the fact they're alwyas unnder attack for ajilbreak

j / k navigate · click thread line to collapse

0 comments

AshamedCaptain4y ago

lelagOP4y ago

This setup could make some sense for a DMZ but not a gaming console connected to your local lan.

AshamedCaptain4y ago

This is exactly why I say that NAT gives a false sense of security.

If the Switch had any vulnerable ports, they were exposed already long ago. Not to mention: IPv6 networks, public Wi-Fi hotspots, etc.

1 more reply

syshum4y ago

Security is an Onion, built on layers.

Should NAT be the only layer, no. But I absolutely can be a layer, just like obfuscation can be a layer.

for example Changing ssh port from 22 to something else is not "security" per say, but it can prevent drive buys and general non-targeted events.

Ekaros4y ago

Also it would be really nice bot network...

donkarma4y ago

consoles are one of the most secure systems due to the fact they're alwyas unnder attack for ajilbreak

j / k navigate · click thread line to collapse