Why a secure cloud service is an important consideration...

Newb73

Valuable Member
View Badges
Joined
Aug 19, 2012
Messages
1,281
Reaction score
1,004
Location
Southeast
Rating - 0%
0   0   0
You guys are making this way more complicated than it really is. Most of this stuff is taught in high school now and anybody 50 or under knows how to use google and you tube to do any of this with ease. That said I do believe Fusion is easier to use however that doesn’t make it anymore secure and may well make it less so by putting all of your eggs in one basket.

YouTube doesn't actually work unless you are using the EXACT model with the exact same settings with the exact same circumstances etc.

You can go youtube and wind up with some major failures.......but why use something complicated as an example. Lets use something simple... try taking an MP40qd apart using the exact instructions you get on a quick youtube search, let me know what happens.
 

brtech

New Member
View Badges
Joined
Aug 22, 2017
Messages
11
Reaction score
13
Rating - 0%
0   0   0
I take it that's a "no", right? Maybe you should STRONGLY consider fixing that before someone hacks it. It's like totally unprotected. Any decent hacker can impersonate the cloud server to the Apex, or the Apex to the cloud service. Passwords are useless these days especially with the kinds of users you have to work with. The Apex could have a real cert. The cloud server certainly must. Use elliptic curves. Fast, small, secure. Several decent open source TLS stacks around.

Remember, you started this thread on a "Secure Cloud Service". Without TLS on the Apex, you can't say that, at all. You can maybe say "more secure than some other cloud services", but not "secure". Not for at least the last 5 years. If it's HTTP, and not HTTPS, then you have roughly no security, because everything else you are doing can be gotten around way too easily. At least the user side appears to have decent security (GoDaddy Cert, good crypto).
 

pandimus

New Member
View Badges
Joined
Dec 21, 2013
Messages
22
Reaction score
5
Rating - 0%
0   0   0
IF anyone cared enough to attempt to kill your fish with your apex, fusion is hardly a deterent. You can still acess the apex locally. So if they gained access to your network. (which is what they would have to do before fusion), they could still NMAP your network and do malicious stuff to everything on your network. I just did a quick test and typed in my password 5 times into fusion. Is there even a lockout threshold. After 5 tries, my account still did not lock. With the way people create passwords, i suspect you can brute force or dictionary attack the accounts. (if someone cared enough). Just saying. With the ease to be able to program them, I suspect you could even put script in to make these controllers be part of a DDOS attack. But you are correct. Fusion is much easier on a customer service point of view.
 

Newb73

Valuable Member
View Badges
Joined
Aug 19, 2012
Messages
1,281
Reaction score
1,004
Location
Southeast
Rating - 0%
0   0   0
IF anyone cared enough to attempt to kill your fish with your apex, fusion is hardly a deterent. You can still acess the apex locally. So if they gained access to your network. (which is what they would have to do before fusion), they could still NMAP your network and do malicious stuff to everything on your network. I just did a quick test and typed in my password 5 times into fusion. Is there even a lockout threshold. After 5 tries, my account still did not lock. With the way people create passwords, i suspect you can brute force or dictionary attack the accounts. (if someone cared enough). Just saying. With the ease to be able to program them, I suspect you could even put script in to make these controllers be part of a DDOS attack. But you are correct. Fusion is much easier on a customer service point of view.
Okay ill play.

Remember when i said it's still the reefers responsibility???

Most you could do with mine is put 300cc of alk into a 265g system and turn the heaters off and pumps on or off.

About that....

I actually drain most of the alk and physically unplug the Hydras if im going to be gone.

The Kessils run on a local spectral controller and i have one pump that's straight plugged which will run even if they tried to kill all circulation.

The temps might drop but ambient temps wouldn't be low enough to kill the tank.

The heater has a separate controller between itself and the eb8 abd it will not allow it to over heat.

I also run a tunze which has a separate controller to keep the ato from dumping...it just flat won't do it.... (And the stand is water proofed into a 25g bath tub anyway (with no electrics inside)

The DOS even if turned on won't run more than 5 min at 25ml/hr before it times out and the Wavs won't let themselves over heat as they have internal monitoring.

When leaving i turn the skimmers stand pipe to run the skimmer at a very low level but you aren't going to flood the locker....it produces no skim anyway.

You could lock the ozone on but its undersized and even when on turbo for a few days, it cant over dose the tank. Plus if skimmer is off it pulls no air anyway.

Wost case scenario they turn everything off and my tank runs on one pump, kessils only and no heater. You cant over light or over heat it.
 

pandimus

New Member
View Badges
Joined
Dec 21, 2013
Messages
22
Reaction score
5
Rating - 0%
0   0   0
Okay ill play.

Remember when i said it's still the reefers responsibility???

Most you could do with mine is put 300cc of alk into a 265g system and turn the heaters off and pumps on or off.

About that....

I actually drain most of the alk and physically unplug the Hydras if im going to be gone.

The Kessils run on a local spectral controller and i have one pump that's straight plugged which will run even if they tried to kill all circulation.

The temps might drop but ambient temps wouldn't be low enough to kill the tank.

The heater has a separate controller between itself and the eb8 abd it will not allow it to over heat.

I also run a tunze which has a separate controller to keep the ato from dumping...it just flat won't do it.... (And the stand is water proofed into a 25g bath tub anyway (with no electrics inside)

The DOS even if turned on won't run more than 5 min at 25ml/hr before it times out and the Wavs won't let themselves over heat as they have internal monitoring.

When leaving i turn the skimmers stand pipe to run the skimmer at a very low level but you aren't going to flood the locker....it produces no skim anyway.

You could lock the ozone on but its undersized and even when on turbo for a few days, it cant over dose the tank. Plus if skimmer is off it pulls no air anyway.

Wost case scenario they turn everything off and my tank runs on one pump, kessils only and no heater. You cant over light or over heat it.
dang.. your paranoid..
 

Newb73

Valuable Member
View Badges
Joined
Aug 19, 2012
Messages
1,281
Reaction score
1,004
Location
Southeast
Rating - 0%
0   0   0
dang.. your paranoid..
You don't know the half of it.

There are a few items which i intentionally mislabeled as like "doorlight" or "nonused" and then hid in the locked panel.

I then created 40 or 50 virtual outlets and named them all really important sounding things and buried the few items i don't want messed with among the 40 or 50 fakes...in the hidden panel.

I also have 24/7 live video from a diffent system both on the display and inside the stand.

I also just recently upgraded to a router that auto updates and am using more complex passwords.
 
Last edited:

2Wheelsonly

Valuable Member
View Badges
Joined
Feb 22, 2017
Messages
1,449
Reaction score
2,019
Location
Indiana
Rating - 0%
0   0   0
Now I am not a expert on network security by any means but I do take issue with some of the statements made here, although I am glad that you said 'we feel' as that seems a pretty accurate way to characterise the information presented.

Port forwarding is not hard, it is one simple setting in the home router that anyone of any level of 'expertise' can set up.

I think computer security can be described to be based upon trust. If one allows access to port 80 to our networks to a device (the controller) one has to trust that our router is secure and up to date (but we have to trust that anyway or none of this matters) and we have to trust that the device (the controller) is secure from being exploited. So for this setup we have to have one extra level of trust to believe our home network is secure. Not only that but a aquarium controller on someone's home network is a tiny target (unless you are some high ranking government official or something).

In contrast a corporation is quite a large and complex target of much more interest to your 'average' hacker and has many levels of trust involved, we have to trust that a controller manufacturer has perfect network security, that all of the many devices on its network are up to date and secure, we have to trust that all employees that have access to this network follow security protocols perfectly and use complex passwords. We then have to trust that this cloud service is actually secure (which leads to a whole new string of trust issues that I wont repeat) and that every employee of the controller manufacturer that has access to the cloud services follows security protocols perfectly. And then we have to trust that the software made by the controller manufacturer to enable all this is secure.

As anyone that reads the news will know the best security companies, the biggest corporations, and important individuals with good reasons to take computer security seriously find it very hard to actually keep their networks secure, 'all' of these types of targets are breached at a staggering rate by hackers.

Because of this I think it would be naive to think that a 'random' controller manufacturer in the aquarium industry is able to say that it has 'perfect' security on its network and can make the statement that it is safer to trust their security, with all those levels of trust issues, when compared to a simple home network with port forwarding for a single port to a single device.

I don't want to start a argument, I just felt it was warranted that some balance was provided to the statement made by a sales/marketing executive as I think it is fair to think that they are unlikely to also be experts on network security (although I could be wrong with that assumption).

As someone who works as a principal security architect for a global fortune 5; i'd say i'd disagree with several of your statements. :)

1: Port Forwarding itself isn't hard but the process takes work and knowledge. You have to ensure you have a static address; people often overlook the fact that most internet providers give best effort "sticky" ip addresses. It will change, the moment it does you can't access your tank. It will probably happen at the worst time too; I buy a controller to save my investment. A few years ago I was on vacation and my kalk pump for some reason turned on and started pumping thick kalk paste into the tank; I got an alert my ph jumped to 8.35 and I was able to shut it off within 30 seconds avoiding disaster.

Also, the modern trend of mesh wifi systems don't even give the option of allowing it and are taking a stance against allowing the user that level of control.

2: Port forwarding allows access into your network from an untrusted interface to a trusted interface; cloud based as the "salesman" mentioned forces all communication from the trusted side and trusted side only. Tell a PCI/HIPAA/SOX auditor you're allowing port forwarding on a network and see what happens; the report wont look pretty. There also isn't SSL when connecting to the system internal and asking home users to deploy PKI isn't going to happen. IF I wanted to get into someone's network i'm going to scan their system, what if i'm able to exploit the port forwarding to the apex to capture a password? What if the user uses that password for Amazon wallet? Google Wallet? PayPal? Coinbase or anything else financially related? Do you think a would be hacker wouldn't want to target someone who's posted a nice build thread showing off their very big house and very expensive tank?

When I was a security consultant i'd be hired to break into locked accounts that were either taken maliciously or for legal/evidence reasons. You'd be amazed how quickly you can find out about someone once you do the research; I remember breaking into a bank manager's financial data by hacking into his son's counter-strike server he was running on their home network. Obviously there was a lot more to it but I was able to get into his network and learn information where I could eventually piece together and obtain his password.

Network security in 2017 is more about managing risk than prevention, by moving to a cloud based solution you're taking the risk out of the home user and moving it to a managed data center. If anything I feel Neptune Systems should allow the user an option for multi-factor authentication like most consumer grade cloud services; that's where I feel they are lacking.

A lot of modern business networks today keep only the most important crown jewels in their own data centers and silo other systems into individual clouds or virtual remote networks. Very few companies expose their gear from the outside, IF they do they have very expensive equipment to help secure it. These consumer grade home routers don't perform the proper deep packet inspection.

Lastly, I think you're a bit unfair towards the "sales guy" :) I can assure you he's not going commando but rather acting as a messenger relaying information given to him by a technical sale engineer or such. Remember, companies that sell products need to sell to the lowest common denominator and if one person struggles to gain access from the outside the product will take on negative reviews which is death for a company that doesn't have a strong storefront presence.

Also, take a quick peek at a google search for portforward +neptune apex and you will see, it's not as easy for the common user! I just now saw one post where a guy was like "heck with it" and put his actual pc in a dmz exposing all ports before someone telling him that he needs to forward just the required ports to his apex and NOT his pc.

Sorry couldn't let this post go! :)
 
Last edited:

Stephen Olner

Community Member
View Badges
Joined
Jun 10, 2017
Messages
43
Reaction score
51
Location
Bartlesville, Oklahoma
Rating - 0%
0   0   0
I am a Software Architect and work for a fortune 500 company . I deal with AWS and Azure on a daily basis. Initially the initial post kind of ticked me off but then when i re-read it , i had to agree in terms of the controller talking to the web service via a HTTPS Protocal (one would hope its HTTPS) is more secure than the web service talking directly to the controller.

But even in terms of port forwarding the inbound service is limited to the device (ip address it being pointed too). In this case one would hope that who ever developed it has secured their protocol for communication. Including injection attacks.) the problem comes about when the ipaddress is something that can issue commands back over a network and can supply a command prompt or allows the device to have a sketch installed over Ethernet.. So a PC would be far easier or even a raspberry PI as it can have Linux or Windows IOT installed on it to then hack as opposed to say an Arduino.

Personally I think Apex should open up their API and http protocol for other manufacturers to be able to communicate with the fusion service. As an end user id pay for a subscription to the Fusion Service but only if i had the choice of controller and devices that i could connect to it.
 

Ditto

Valuable Member
View Badges
Joined
Apr 25, 2017
Messages
2,229
Reaction score
2,970
Location
Albany, NY
Rating - 0%
0   0   0
I do agree with some of the above responses that this strangely appeared after a competitor released an app.

I have used the original Apex controller App, the Apex fusion app which seems to be a mobile version of the Apex Fusion website (not sure if called that an app or pointing to a mobile web page) and now the GHL app.

The posts on port forwarding are 100% correct who state it not easy to set up by the average user, may create security issues on your home network and unless your going to set up a DMZ for your aquarium controller your exposing your other devices to be potentially compromised. Hackers use large port scans on the internet to find open networks and ports. Maybe not today or tomorrow but a port scan will happen and they will see the connection, does not matter if is 80, 53, 110 or 10,0001. Mirror a internet connection and run a sniffer you will be surprised what you will see.

But what bothered me is both Apex and GHL offer cloud service so why was the post needed. The cloud service is what we are instructed to use off network. Both I believe are secure, but but without a security scan, web inspect of the device HTML hosted pages, and a deep security scan by a independent security company how we truely know.

I may be typing out of line but I also believe the GHL app was built to control the device on network and was not being pushed as a off network solution to control our devices, but like all us reef savy people we always do more with anything we are exposed to.

I do not port forward could I, with ease. I VPN into my home network and launch the app. The same way I did when the original Apex gold app when it was released and now the GHL app today. I can access the apex 2016 directly also or MYGHL application running my desktop.

Cloud services are great when it works, and having multiple ways to access our devices is what all reefers want. Like myself and other reefers we improvise, evaluate the risk vrs the reward and move ahead.

Port forward only if you know how to and fully comprehend the risk. If you want a truely secure connection to your device off network then in my opinion VPN into your home network is the best option.

Throwing a rock in a glass house can hurt also, especially when the original Apex app had the same issues, there no way to access the apex device locally off network and the cloud is down unless some network savvy ness is used.

In close Secure Cloud services to control your aquarium controllers from
Remote locations is a great service and should be considered by reefers when selecting what controller they wish to use but should not be relied on as the only way to control your devise remotely. Like everything we reefers do, having redundant ways to communicate to your device is a good idea when remote.
 
OP
OP
Terence

Terence

Valuable Member
View Badges
Joined
Mar 14, 2010
Messages
1,838
Reaction score
3,482
Location
Gilroy, CA
Rating - 0%
0   0   0
I appreciate your post Ditto. To your point the Apex Classic or even the new Apex accessed using port forwarding is not the best method and accessing it in this manner would present the exact problems stated above. That is why we now discourage it in favor of using Apex Fusion or, if one prefers, the local web server UI when at home - whether by preference or because the internet may not be available - either temporarily or permanently.

Redundancy is key. That is why we made the Apex it’s own web server and have the local network version of the the same Apex Fusion interface that can be accessed from nearly any device type - Mac, PC, Android, Linux, iPhone, iPad, simply through a browser.
 

brtech

New Member
View Badges
Joined
Aug 22, 2017
Messages
11
Reaction score
13
Rating - 0%
0   0   0
Apparently, the protocol between the controller talking to the web service is NOT protected with TLS.

..."In this case one would hope that who ever developed it has secured their protocol for communication."
Terrence hasn't said definitively, but apparently, it is not secure (in terms of authentication, privacy and integrity protection).

There is a saying I am fond of repeating:
There is no security in obscurity

That means that you get roughly no security by keeping details secret, trivial obscuring data, using odd ports, etc. You get security with proper crypto, proper defensive code (against buffer overflows, injection, ...) and proper reviews of your architecture, and code.
 

reefwiser

LMAS
View Badges
Joined
Nov 24, 2013
Messages
7,538
Reaction score
9,525
Location
Louisville,Kentucky
Rating - 0%
0   0   0
The GHL app was made just to control the Profilux in the home. But like any device one can do other things with it if one knows how. The Profilux has always had the in home web server the. They added the myGHL cloud option for those who wish are need to access their aquarium controller while not at home. One could even use a screen sharing app to access their controller if they wanted to. I use all controllers that’s is what I do for a living I started in three PLC business in the late 80’s and have had to keep up with the tech for years. Just don’t like FUD post’s as they always pray on those who don’t actually know the real facts but that is part of marketing in today’s world.
 
OP
OP
Terence

Terence

Valuable Member
View Badges
Joined
Mar 14, 2010
Messages
1,838
Reaction score
3,482
Location
Gilroy, CA
Rating - 0%
0   0   0
I never mentioned the profilux, I would be more then happy for someone to independently show the steps for obtaining outside-the-Home monitoring and control and what can and cannot be done on such outside the home control between all the top aquarium controllers on the market. I think it would be quite enlightening for consumers.

My original (and other posts) were not intended to say that the Apex could not have vulnerabilities (as does about any connected device) - simply that our methodology is far more secure than accessing the Apex or any other device by means of port forwarding by the average user.
 

Newb73

Valuable Member
View Badges
Joined
Aug 19, 2012
Messages
1,281
Reaction score
1,004
Location
Southeast
Rating - 0%
0   0   0
Also, the modern trend of mesh wifi systems don't even give the option of allowing it and are taking a stance against allowing the user that level of control.

:)


It is good to point out that most Reefers who are power data users with large homes....have already or are in the process of going to Mesh systems. I/Users also like it when they can expand coverage with a $100-$150 add on module to the mesh for larger homes rather than having to hard wire or buy a whole new router and start over. (AKA, Netgear Orbit etc.).

If the newer tech which users are wanting doesn't even allow it anyway...that's pretty much the end of the discussion I would think. They do have a professional level ORBIT but it is marketed towards buisnessess as having the advantage of working better with LOTS AND LOTS of users so the average home owner isn't going to upgrade to the pro model just looking at the marketing materials available when shopping online.
 

brtech

New Member
View Badges
Joined
Aug 22, 2017
Messages
11
Reaction score
13
Rating - 0%
0   0   0
I know we have left a lot of readers of this thread in the dust on the subject of port forwarding, so here is some background I hope you can grok:

When two computers talk, one has to go first. We say that one has an outbound connection and the other has an inbound connection. Outbound is less sensitive than inbound to security issues because it's relatively harder to do bad things to the sender than it is the receiver. That's because a lot of the attacks depend on sending things the receiver doesn't expect (such as a huge message when the receiver is expecting a small one), and in order to receive, you have to allow packets (the unit of transfer on the Internet) to enter your network from anyone, at least until you figure out who they are. The sender controls what it sends, so it's less likely to leak sensitive data. Note, however, that it's only relatively more secure, and the differences are getting smaller all the time. For example, nearly all interactions involve a request and a response. The request is outbound, but the response is inbound, so the advantages of sending quickly disappear if the server has to send you a response, and you have to receive it.

Sending a packet is accomplished by the network, and it starts with the "IP Address". IP=Internet Protocol. The IP address, however, is the address of a specific computer, and the network endeavors to deliver a packet to that computer. But, there are almost always multiple programs, or at least multiple components of a program running on any one computer and the network mechanisms need to be able to keep more than one interaction going to a specific computer. To do so, there is a thing called a "port", which is a number from 0-65534 (2^16-1). The COMBINATION of an IP Address and a port is a specific connection between two pieces of software, one one either side of the network. The packet has, in a header in the beginning of the packet, the IP address and port of both the sender and the recipient. The Internet "routes" the packet to the right computer based on the IP address of the recipient in the packet. Once the computer gets a packet, it knows which program, or which part of a program, gets the packet based on the port number.

But, you say, my home network has more than one computer and I know I only have one IP address for my home. True. IP Addresses used to all be 32 bits long, meaning we could handle 2^32 different computers, and if you look that up, it's a pretty big number. Turns out, it's not big enough. One reason is, there are a heck of a lot of computers, especially when we count things like an APEX controller as a computer. Another reason is that the allocation of IP Addresses isn't optimal and we waste some of the addresses. There are two solutions to that. One is to make IP addresses bigger, and we're doing that. It turns out that there are versions of Internet Protocol, and the one with 32 bits of address is version 4 (IPv4). There is an IPv6 (don't ask what happened to version 5), and IPv6 uses 128 bit addresses, and that actually is enough to give every device a unique address, at least for the foreseeable future. More and more systems are switching to IPv6. For example, newer cell phones use it. But lots of home devices are still stuck on IPv4.

So, there is a piece of cleverness (or stupidity, depends on your point of view) called a "Network Address Translator" or NAT. It takes advantage of that port number thingy. If every connection on the Internet has both an address and a port, then as long as every connection to your home network uses a different port, they can use the same address, at least from outside your home network. So, what happens is that all the computers and devices inside your home network are assigned an IP address that is only used inside your home network, and in fact lots of computers on different home networks have the same IP address. Then your Internet Service Provider (your telco or cable company for example) assigns you ONE real IP address (IPv4 address that is) and the NAT translates from a port and an an IP address inside your home network to the single unique IPv4 address assigned your home network by your ISP and a unique port number (unique from all other connections to your home network). That translation happens on every packet going into or out of your home network. Network Address Translator, get it?

So, to make it more secure, that NAT thing won't allow a connection to start if the first packet is from outside the network. It looks at packets starting from inside the network and if it doesn't recognize the address and port of the destination (and the destination is outside the home network), it considers that the start of a new connection. It picks a new, unique port, and assigns that to the new connection and rewrites the header of the packet so the sender part of the header contains the single IP address assigned by the ISP to your home network, and the unique port number. If a packet arrives from outside the network, the NAT looks to see if the destination is one of the ports it assigned to a connection, and if the source address is the right source address for that connection. If it matches, then the NAT accepts the packet, rewrites the recipient part of the header to have the internal address of the computer inside the home network and the port that computer assigned for this connection. We say that the NAT constructs a "pinhole firewall opening" that only allows packets from a specific computer outside the network, from a specific port, to a specific computer inside the network to a specific port. And, it will not create a new connection if the first packet for that new connection comes from outside the network.

Sometimes, someone decides that this restriction just won't do. Many routers have a way to bypass the restriction, but in a way that doesn't just allow any computer outside the network to contact any computer inside the network. Instead, the router can be configured to allow a connection to start from the outside of the network if, and only if, it's directed to a specific, pre-defined port. If the router receives a packet directed to it, that targets that port, not part of an existing connection, it will forward it to a specific, configured computer, to that specific, configured port and create a new connection for the NAT based on that packet. Port Forwarding, get it?

But in order to use that setup, you have to know lots of stuff, like what the addresses of the computer that gets the port forwarding, and what the port is. Every router has a different user interface to set port forwarding up. And, so, we generally think it's a bad idea to use port forwarding.

The thing is that how NATs work is known widely, and it's pretty trivial to forge addresses of the sender of a packet, so there are lots of known ways to get around the supposed security of these mechanisms. They are not worthless, but they aren't really very good. So saying you don't need port forwarding is mostly a "you don't need to figure out how to configure port forwarding", rather than actually getting you significantly better security.

The way (really, the only way we know now) to get real security is to:
1. Know, for sure, who you are talking to (authentication)
2. Encrypt all data (privacy)
3. Make sure that no 'man in the middle' has modified or substituted any of the packets sent or received (integrity protection).

Transport Layer Security (TLS), formerly known as "Secure Sockets Protocol" (SSL) does all that. It's secure if implemented correctly. All the firewall stuff is bandaids and wishful thinking, with a very small amount of security substance. It's not clear any firewalls provide real security any more.

Hope this was helpful.
 
Last edited:

Newb73

Valuable Member
View Badges
Joined
Aug 19, 2012
Messages
1,281
Reaction score
1,004
Location
Southeast
Rating - 0%
0   0   0
It is a continuum though no?

It is possible to look at a setup in graduated levels........unsecured.... less secure....secure....more secure....extremely secure and locked down.

It seems port forwarding falls into "less secure".

It also seems like the only way to get close to "lock down" would be to physically unplug the Controllers connection and stay home.....only occasionally connected it when you MUST go somewhere and get access.

It seems to me a neat security device might literally be a robotic arm that can physically unplug an ethernet cable or plug it back in....with the only connection for the end user being control of the arm itself in a highly encrypted process, monitored by an autonomous robot that is not connected to the internet (is somehow configured to monitor but never take commands) which can physically over ride the robotic arm if that connection is compromised.....
 

brtech

New Member
View Badges
Joined
Aug 22, 2017
Messages
11
Reaction score
13
Rating - 0%
0   0   0
Sure. It's a continuum. Port forwarding is less secure (mostly because it encourages user misconfiguring). But we know a lot about these things now, and you can straightforwardly get good, or even very good security by doing some things like implementing TLS everywhere, whereas the difference between unprotected outbound connections vs unprotected port forwarding is the difference between very bad, and slightly better than very bad security.

Probably, your example would end up being so-so security, only because the mechanical stuff fails much more often than the software, and users get around unreliable things by opening up holes you can drive a truck through. But you are correct, it's a continuum.
 

Mastering the art of locking and unlocking water pathways: What type of valves do you have on your aquarium plumbing?

  • Ball valves.

    Votes: 67 51.9%
  • Gate valves.

    Votes: 67 51.9%
  • Check valves.

    Votes: 33 25.6%
  • None.

    Votes: 29 22.5%
  • Other.

    Votes: 9 7.0%
Back
Top