Re: [Elecraft] K4 Ethernet interface
Dave, I agree fully. By todays standards, the NAT-firewall is no longer not much of a shield. I also agree that IPv4 is also not something to build on for the future, stepping up to IPv6 is the way to go. One has to be prepared for it since the transition is occurring now at a higher speed. Getting hold of IPv4 addresses is increasingly hard. It's worth noting that rolling ones own security scheme is very hard, cryptos even more so. It's highly encouraged to "go with the flow" and use at least one of the stock solutions that is developing with the challenges. I just expect that the K4 development will do so very soon after getting most of the basic things out of the way. Using a Linux platform is a great way to do it, there will be plenty of tools there, so it is down to use them wisely. Cheers, Magnus On 2022-02-09 16:49, David Herring wrote: Victor, To answer your question directly, no, NAT does not provide adequate security ... for anything. The best NAT can do is provide obfuscation, or “security by obscurity” which has been proven beyond the shadow of any doubt to be no security whatsoever. It just hides information that can be gotten through other means. NAT is strictly for IPv4 and is thus unable to protect IPv6 hosts in any way, unable to defend against man in the middle attacks, injections into existing connections, port scanning attacks, internal willing host attacks….I dunno I could probably go on but maybe you get the idea. It seems that all attacks assume there is a NAT component somewhere in the chain and are well prepared to defeat it as a matter of course. And they can in very short order. All NAT really accomplishes is it gives us the means to have way more IPv4 machines than we have address space for. It’s not security of any sort. I don’t think it ever was. If you are relying solely upon NAT to protect your home network, that you have not already been hacked is just a matter of luck. I run a commercial quality firewall on my network (thanks to almost 40 years of working in IT) and I get scanned, probed and prodded all the time. Nearly all of them would have defeated a NAT without firewall in a matter of seconds. Now, if you have a firewall along with your NAT device, and my experience is that many modern ISP devices do both firewall and NAT together, then as long as you have not opened up ports or disabled firewall rules, then you are probably OK. But the key point here is that you have a firewall. Security is really outside of NAT’s wheelhouse. 73, Dave - N5DCH On Feb 9, 2022, at 1:29 AM, Victor Rosenthal 4X6GP wrote: Most home routers have NAT (network address translation). Does this provide adequate security for this application? If not, why not? Serious question, not a challenge! 73, Victor, 4X6GP Rehovot, Israel CWops #5 Formerly K2VCO https://www.qsl.net/k2vco/ . On 09/02/2022 10:00, Henk Remijn PA5KT via Elecraft wrote: The K4 is accessible through telnet on port 9200. No security. It is always a good idea to have security but I would prefer to have the telnet without security and put the security in the network. Make sure you have a good firewall between the internet and your radio equipment. Dont trust your internet provider. Always put a firewall between your internetprovider firewall/router en your home network. 73 Henk PA5KT __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to david.n5...@gmail.com __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to mag...@rubidium.se __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com
Re: [Elecraft] K4 Ethernet interface
Victor, To answer your question directly, no, NAT does not provide adequate security ... for anything. The best NAT can do is provide obfuscation, or “security by obscurity” which has been proven beyond the shadow of any doubt to be no security whatsoever. It just hides information that can be gotten through other means. NAT is strictly for IPv4 and is thus unable to protect IPv6 hosts in any way, unable to defend against man in the middle attacks, injections into existing connections, port scanning attacks, internal willing host attacks….I dunno I could probably go on but maybe you get the idea. It seems that all attacks assume there is a NAT component somewhere in the chain and are well prepared to defeat it as a matter of course. And they can in very short order. All NAT really accomplishes is it gives us the means to have way more IPv4 machines than we have address space for. It’s not security of any sort. I don’t think it ever was. If you are relying solely upon NAT to protect your home network, that you have not already been hacked is just a matter of luck. I run a commercial quality firewall on my network (thanks to almost 40 years of working in IT) and I get scanned, probed and prodded all the time. Nearly all of them would have defeated a NAT without firewall in a matter of seconds. Now, if you have a firewall along with your NAT device, and my experience is that many modern ISP devices do both firewall and NAT together, then as long as you have not opened up ports or disabled firewall rules, then you are probably OK. But the key point here is that you have a firewall. Security is really outside of NAT’s wheelhouse. 73, Dave - N5DCH > On Feb 9, 2022, at 1:29 AM, Victor Rosenthal 4X6GP > wrote: > > Most home routers have NAT (network address translation). Does this provide > adequate security for this application? > If not, why not? Serious question, not a challenge! > > 73, > Victor, 4X6GP > Rehovot, Israel > CWops #5 > Formerly K2VCO > https://www.qsl.net/k2vco/ > . > On 09/02/2022 10:00, Henk Remijn PA5KT via Elecraft wrote: >> The K4 is accessible through telnet on port 9200. >> No security. >> It is always a good idea to have security but I would prefer to have >> the telnet without security and put the security in the network. >> Make sure you have a good firewall between the internet and your >> radio equipment. Dont trust your internet provider. Always put a >> firewall between your internetprovider firewall/router en your home >> network. >> 73 Henk PA5KT > __ > Elecraft mailing list > Home: http://mailman.qth.net/mailman/listinfo/elecraft > Help: http://mailman.qth.net/mmfaq.htm > Post: mailto:Elecraft@mailman.qth.net > > This list hosted by: http://www.qsl.net > Please help support this email list: http://www.qsl.net/donate.html > Message delivered to david.n5...@gmail.com __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com
Re: [Elecraft] K4 Ethernet interface
If you run locally, fine for now. However, if you aim to run remote it will not suffice. Also, today we have to think more about security in depth, so one have to consider if one machine is breached, then the others will be wide open if you overly consider the local net as safe. Therefore to a higher degree will real security be needed even for only operating on the local net. To put it bluntly, it's bad enough that they take one of your machines, but all of them? This realization means that NAT does not provide much protection these days, and VPNs between NAT regions is not really helping. Trouble is that I aim to also operate my K4 for remote operation over the network. I want to make sure that we do it on a sufficiently future-proof path, and SSH/TLS/DTLS is the low hanging fruit to get pretty much directly up to speed on some of the basic stuff. It's of the shelf and well established. I did a port-scan, and there where quite a bit of open ports there. What they do remains undocumented. Being able to turn them off to reduce attack surface would be appreciated. Seems my little side-comment blew up as a separate topic. Cheers, Magnus On 2022-02-09 09:29, Victor Rosenthal 4X6GP wrote: Most home routers have NAT (network address translation). Does this provide adequate security for this application? If not, why not? Serious question, not a challenge! 73, Victor, 4X6GP Rehovot, Israel CWops #5 Formerly K2VCO https://www.qsl.net/k2vco/ . On 09/02/2022 10:00, Henk Remijn PA5KT via Elecraft wrote: The K4 is accessible through telnet on port 9200. No security. It is always a good idea to have security but I would prefer to have the telnet without security and put the security in the network. Make sure you have a good firewall between the internet and your radio equipment. Dont trust your internet provider. Always put a firewall between your internetprovider firewall/router en your home network. 73 Henk PA5KT __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to mag...@rubidium.se __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com
Re: [Elecraft] K4 Ethernet interface
I will test port 9200 then. Security on the network does not work very well at all, and telnet is no longer installed as it is a security issue to use it. The tradition of opening ports through firewall/NAT will leave a port open with no security. For that SSH or TLS is the way to go these days. It's just they way Internet security works these days, and we have to follow suit. One could argue that a VPN would be a solution, but then real time performance may or may not perform well rather than having control over that oneself to make sure the implementation works well. Cheers, Magnus On 2022-02-09 09:00, Henk Remijn PA5KT via Elecraft wrote: The K4 is accessible through telnet on port 9200. No security. It is always a good idea to have security but I would prefer to have the telnet without security and put the security in the network. Make sure you have a good firewall between the internet and your radio equipment. Dont trust your internet provider. Always put a firewall between your internetprovider firewall/router en your home network. 73 Henk PA5KT Op 8-2-2022 om 21:03 schreef Magnus Danielson via Elecraft: Dear all, I have tried to look at the K4 Programmers manual, and it remains fuzzy on how one should connect to the K4 on the Ethernet port. All the commands is wonderful to have, and that part is nicely documented. I understand that the real time streaming parts is not done yet, but just being able to do the normal commands would be a step in the right direction. I do hope that there is fair security of SSH/TLS level, as we run this over network. For real-time streaming, look at RIST. Cheers & 73, Magnus SA0MAD __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to pa...@remijn.net __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to mag...@rubidium.se __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com
Re: [Elecraft] K4 Ethernet interface
Most home routers have NAT (network address translation). Does this provide adequate security for this application? If not, why not? Serious question, not a challenge! 73, Victor, 4X6GP Rehovot, Israel CWops #5 Formerly K2VCO https://www.qsl.net/k2vco/ . On 09/02/2022 10:00, Henk Remijn PA5KT via Elecraft wrote: The K4 is accessible through telnet on port 9200. No security. It is always a good idea to have security but I would prefer to have the telnet without security and put the security in the network. Make sure you have a good firewall between the internet and your radio equipment. Dont trust your internet provider. Always put a firewall between your internetprovider firewall/router en your home network. 73 Henk PA5KT __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com
Re: [Elecraft] K4 Ethernet interface
The K4 is accessible through telnet on port 9200. No security. It is always a good idea to have security but I would prefer to have the telnet without security and put the security in the network. Make sure you have a good firewall between the internet and your radio equipment. Dont trust your internet provider. Always put a firewall between your internetprovider firewall/router en your home network. 73 Henk PA5KT Op 8-2-2022 om 21:03 schreef Magnus Danielson via Elecraft: Dear all, I have tried to look at the K4 Programmers manual, and it remains fuzzy on how one should connect to the K4 on the Ethernet port. All the commands is wonderful to have, and that part is nicely documented. I understand that the real time streaming parts is not done yet, but just being able to do the normal commands would be a step in the right direction. I do hope that there is fair security of SSH/TLS level, as we run this over network. For real-time streaming, look at RIST. Cheers & 73, Magnus SA0MAD __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to pa...@remijn.net __ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html Message delivered to arch...@mail-archive.com