Sign in with
Sign up | Sign in
Your question

NAT is not a mechanism for securing a network.. but.. HELP!

Tags:
  • Firewalls
  • Routers
  • Security
  • Networking
Last response: in Networking
Share
Anonymous
a b 8 Security
August 23, 2005 10:20:26 PM

Archived from groups: comp.security.firewalls (More info?)

Hi all!
First of all I have to say "sorry" for my english.. that sometimes is not
very good.. (I write from italy..)
A question:
I often have to speak with some clients about security (I'm not a
specialist..) ...yesterday a person told me that an ADSL router with a NAT
for separate his private network to public network is a "good" solution for
his security... I know.. that this is a "wrong sentence" :-)... but... I can
I demostrate the opposite? how can I by-pass a router? it is possible.... I
suppose... any suggestions??
thanks

smax371@hotmail.com

More about : nat mechanism securing network

August 23, 2005 10:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

But how is this possible?!?! :-)

I mean if you have set up NO port redirection on your router how can
any probe of any kind manage to pass through the router?!?

And also you said that on the host that SQL server was running all
ports were closed as well!
August 23, 2005 10:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

Well yes, but i was talking that how the probe could manage to be
inserted to the lan through the router considering that the probe
atatck was the one that initiated the connection to the router and not
coming back as a replay to a previous internal infected host request.

Of couse what you descbire its true and it works no matter if the routr
is port forwarding or not.
August 23, 2005 10:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

So if the malware use some kind of stelath techniques would bypass the
routers restriction.

But tell us more please abou the tunneling that cannot be stopped.
How does the tunneling scenario work?
August 23, 2005 10:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

speeder wrote:

> OTOH, crashing a router is a much "simpler" thing to do depending on
> the router and your resources. And who can guarantee that a crashed
> router will continue to block outside connections? Doubtful but
> possible.


And how can router be crashed? By what way?
Even if it gets amounts of packets tryign to break in it would simply
reject them and only allow those setup in port redirection.
August 23, 2005 10:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:

> Most NAT implementations have some weaknesses. First, usually a packet,
> which has a source address, which seems to come from inside the network,
> is accepted and routed inside.

Whats do you mean by that?
If a packet has a source address i must have come form a host indes the
network .
How otherwise. if it came form outside then it wouldnt have a source
address of type 10.0.0.x

> NAT routers with sensible filtering usually provide a high level of
> security. The security then comes from filtering, not from NAT. This
> ist not a design flaw:
>
> Masquerading with NAT never was meant to provide security - it was
> developed in the times, where people were getting short of IP adresses,
> to provide a solution for having more devices than "real" addresses
> in the Internet.

Yes, very turue but by its nature it provides as asideeffect soem means
of security since it hides all hosts on the lan behind 1 single public
ip address :-)
Anonymous
a b 8 Security
August 23, 2005 10:36:51 PM

Archived from groups: comp.security.firewalls (More info?)

In article <KNJOe.27469$HM1.791654@twister1.libero.it>, smax371
@hotmail.com says...
> Hi all!
> First of all I have to say "sorry" for my english.. that sometimes is not
> very good.. (I write from italy..)
> A question:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a NAT
> for separate his private network to public network is a "good" solution for
> his security... I know.. that this is a "wrong sentence" :-)... but... I can
> I demostrate the opposite? how can I by-pass a router? it is possible.... I
> suppose... any suggestions??
> thanks

NAT is only a simple means of blocking unsolicited inbound connections.
That means that there is no outbound limitation.

NAT is a good for protecting home users networks from uninvited inbound
connections which is a reasonable thing for home users.

--

spam999free@rrohio.com
remove 999 in order to email me
August 23, 2005 10:43:32 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 18:20:26 GMT, "Smax" <smax371@hotmail.com> wrote:

>Hi all!
>First of all I have to say "sorry" for my english.. that sometimes is not
>very good.. (I write from italy..)
>A question:
>I often have to speak with some clients about security (I'm not a
>specialist..) ...yesterday a person told me that an ADSL router with a NAT
>for separate his private network to public network is a "good" solution for
>his security... I know.. that this is a "wrong sentence" :-)... but... I can
>I demostrate the opposite? how can I by-pass a router? it is possible.... I
>suppose... any suggestions??
>thanks

The reason why a NAT router is not a "good" solution has nothing to do
with the possibility of bypassing it. It is not a "good" solution
because there are *many* attacks that originate from action inside the
internal network. Executing a virus/trojan application, allowing
websites to install/run applications, entering information in
webforms, running unsecured wireless setups, .... The list goes on and
on and a NAT router will do nothing against those.

Bypassing a router, in the sense of making it transparent so you can
freely connect to services on the LAN side, by solely manipulating
packets and flags is not an easy task. You'd have more chances trying
to access it's remote configuration feature (*if* you were lucky it's
enabled) and brute force the password with a dictionary attack of some
kind (double lucky!). That's the only feasible scenario I can think of
but very unlikely, even for home users.

OTOH, crashing a router is a much "simpler" thing to do depending on
the router and your resources. And who can guarantee that a crashed
router will continue to block outside connections? Doubtful but
possible.
Anonymous
a b 8 Security
August 23, 2005 11:09:16 PM

Archived from groups: comp.security.firewalls (More info?)

"Smax" <smax371@hotmail.com> wrote in
news:KNJOe.27469$HM1.791654@twister1.libero.it:

> Hi all!
> First of all I have to say "sorry" for my english.. that sometimes is
> not very good.. (I write from italy..)
> A question:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a
> NAT for separate his private network to public network is a "good"
> solution for his security... I know.. that this is a "wrong sentence"
> :-)... but... I can I demostrate the opposite? how can I by-pass a
> router? it is possible.... I suppose... any suggestions??
> thanks
>
> smax371@hotmail.com
>
>
>
>

All you have to do is write a program a listening server program and
install it on the computer behind the router. Then you write a client
program and install it on a remote/Internet computer and have the server
program send outbound traffic to the remote IP making contact with the
remote client program. The NAT router (most NAT routers for home usage)
is not going to be able to stop the contact or traffic by setting rules
to stop the traffic.

Most NAT routers stop unsolicited inbound traffic by not forwarding the
traffic to the LAN behind the router. Yes, a NAT router has two
interfaces the WAN/Internet network interface the NAT router is
protecting from and LAN interface the network it's protecting.

A device such as a NAT router that is also running network FW software
would be able to stop inbound and outbound traffic by setting filtering
rules to stop the traffic by port, protocol, IP or packet attribute/
state.

As an example, you could install Gibson's *Leaktest* program on a machine
and allow it to phone home and see of the NAT router can stop the traffic
inbound or outbound by setting filtering rules to stop the outbound from
the LAN/IP/machine behind the router to the remote/Internet/IP or stop
inbound from the remote/Internet/IP.

The NAT router separates two networks usually the Internet and the LAN
behind the router and NAT provides a limited means of protecting the LAN
by not forwarding unsolicited inbound request. But NAT is not FW software
where one can set filtering rules to control traffic. Also, most NAT
routers for home usage don't provide traffic logging so one could see if
dubious inbound or outbound traffic to a remote IP was even happening.

So if malware was to be installed on a machine behind the NAT router and
started phoning home, most NAT routers are not going to be to stop the
malware and Leaktest will show you that. A router running network FW
software would be able to stop the traffic.

However, a NAT router is a good first line of defense for the home user.

Duane :) 
Anonymous
a b 8 Security
August 23, 2005 11:51:04 PM

Archived from groups: comp.security.firewalls (More info?)

CyberDroog <CyberDroog@ClockworkOrange.com> wrote in
news:jlumg11fep6415tlo5t74a841vmcodjme1@news.easynews.com:

>
> All you have to do is write and install a program *behind* the router?
> That isn't exactly a straight-forward answer to the question of how to
> *by-pass* a router.

Is it or is it not away of bypassing the protection of the router?

You got a better way of directly attacking a NAT router, then let's see. :) 

Duane :) 
Anonymous
a b 8 Security
August 24, 2005 12:08:03 AM

Archived from groups: comp.security.firewalls (More info?)

Oh, I am sure there are other ways of attacking a NAT router. I am not up
to speed on that as I am not one who would do such a thing in the first
place. I can certainly verify that they can be attacked. At least my old
Linksys NAT router was attacked as probes came through it at SQL Server
running on the machine with all ports closed by default with no port
forwarding or nothing on the router, like a hot knife through butter.


Duane :) 
Anonymous
a b 8 Security
August 24, 2005 1:47:47 AM

Archived from groups: comp.security.firewalls (More info?)

"Nicky" <hackeras@gmail.com> wrote in message
news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
> But how is this possible?!?! :-)
>
> I mean if you have set up NO port redirection on your router how can
> any probe of any kind manage to pass through the router?!?
>
> And also you said that on the host that SQL server was running all
> ports were closed as well!

Well the firmware for the 11S4 router has no FW like software like SPI so it
wasn't and is not doing packet inspection. The packets could be spoofed and
bogus packets slipped in I guess. I read an article Watchguard put out
awhile back about how NAT routers can be attacked. You should be able to
find such information on with Google. The machine that is running SQL Server
is up 24/7 365 and what altered me to the situation was BlackIce at the
time when I was using BI with it set properly out of its auto settings to
supplement the NAT router when Linksys removed SPI from the firmware for all
BEFW11S4 version routers.

Duane :) 
Anonymous
a b 8 Security
August 24, 2005 1:48:36 AM

Archived from groups: comp.security.firewalls (More info?)

In article <1124832068.019507.164860@g44g2000cwa.googlegroups.com>,
hackeras@gmail.com says...
> But how is this possible?!?! :-)
>
> I mean if you have set up NO port redirection on your router how can
> any probe of any kind manage to pass through the router?!?
>
> And also you said that on the host that SQL server was running all
> ports were closed as well!

All it takes is the host (inside the network) to contact the hacker site
for instructions, and you are done.

So, what we mean is that your machine is compromised with something that
phones-home for instructions - your NAT router, which allows ALL
outbound does not stop the virus/worm since it's already inside your
network - it calls home to get more things/instructions and starts
spreading out over ports 135~139 & 445 since your NAT router doesn't
block those outbound either (by default).

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 3:02:11 AM

Archived from groups: comp.security.firewalls (More info?)

In article <1124836347.367236.287320@o13g2000cwo.googlegroups.com>,
hackeras@gmail.com says...
> Well yes, but i was talking that how the probe could manage to be
> inserted to the lan through the router considering that the probe
> atatck was the one that initiated the connection to the router and not
> coming back as a replay to a previous internal infected host request.
>
> Of couse what you descbire its true and it works no matter if the routr
> is port forwarding or not.

Not it doesn't work always - as a simple rule, when I setup NAT Routers,
the cheap ones that pretend to be firewalls, I block outbound to
destination ports 135 through 139, 445, 1433, 1434.

While this helps the chatter, it can also keep some viruses from
spreading outside your network to the Internet.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 3:05:16 AM

Archived from groups: comp.security.firewalls (More info?)

In article <1124838075.026460.272410@f14g2000cwb.googlegroups.com>,
hackeras@gmail.com says...
> And how can router be crashed? By what way?
> Even if it gets amounts of packets tryign to break in it would simply
> reject them and only allow those setup in port redirection.

You might want to search google for that one - isn't not so much that it
can be done, it's what state is the forwarding/routing left in when it
does fault.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 3:08:03 AM

Archived from groups: comp.security.firewalls (More info?)

Smax <smax371@hotmail.com> wrote:
> I often have to speak with some clients about security (I'm not a
> specialist..) ...yesterday a person told me that an ADSL router with a NAT
> for separate his private network to public network is a "good" solution for
> his security... I know.. that this is a "wrong sentence" :-)... but... I can
> I demostrate the opposite? how can I by-pass a router? it is possible.... I
> suppose... any suggestions??

Most NAT implementations have some weaknesses. First, usually a packet,
which has a source address, which seems to come from inside the network,
is accepted and routed inside.

This is, why one wants to filter such packages on NAT boxes.

Additionally, usually NAT implementations have some state machines or
even heuristics for tracking protocols, which are not just simply NATable.
Frequent examples for this are FTP, connectionless or encrypted protocols.

(to clarify: I mean masquerading with NAT here)

This often results in attacking vectors, how to fake a connection wich
does not exist, and how to insert packages, which are accepted and
routed inside.

NAT routers with sensible filtering usually provide a high level of
security. The security then comes from filtering, not from NAT. This
ist not a design flaw:

Masquerading with NAT never was meant to provide security - it was
developed in the times, where people were getting short of IP adresses,
to provide a solution for having more devices than "real" addresses
in the Internet.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 3:08:04 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:

Volker, have you considered writing one of those "NAT for Dummies" kind of
books? This has been the clearest and simplest explanation of how NAT
routers function that I have seen anywhere.
Anonymous
a b 8 Security
August 24, 2005 3:27:01 AM

Archived from groups: comp.security.firewalls (More info?)

In article <1124838620.861297.91990@g44g2000cwa.googlegroups.com>,
hackeras@gmail.com says...
> Yes, very turue but by its nature it provides as asideeffect soem means
> of security since it hides all hosts on the lan behind 1 single public
> ip address :-)

You mistakenly believe that security is some how related to a normal
network function of routing. In the case of NAT, it could be a 1:1 NAT
which would not provide any protection, a 1:MANY NAT, or a MANY to MANY
NAT.....

NAT is not a security means/method, it's a routing method that appears
to have some partial security benefits.

--

spam999free@rrohio.com
remove 999 in order to email me
August 24, 2005 7:23:01 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> NAT is not a security means/method, it's a routing method that appears
> to have some partial security benefits.

Well, thats what i said in other words. :-)
NAT provides some simple means of security as a *sideffect* considering
that its true nature by design was to solve the shortage of ip problem
and not security.
August 24, 2005 10:35:31 AM

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> Nicky <hackeras@gmail.com> wrote:
> > And how can router be crashed? By what way?
>
> If it does NAT/masquerading, a DoS attack is very easy from inside. Just
> exploit the maximum size of the NAT table by flooding with packages opening
> a huge number of connections.

Yes but in order to crash it this way you must attack it from the
inside.
But how youy will be able to do that from the inside?
Yiu must somwhow infect an internal host to do that and that means you
have to pass from the router first somehow.

And also i would like to ask if a router gets crushes what does that
mean?
Thats it stops responding and therefore stop blocking unsolicited
inbound connections so one could slip in?
Anonymous
a b 8 Security
August 24, 2005 12:44:30 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
>Nope, I think you assumed that the internet, from work, should not be
>restricted to anyone?
>
>In reality there are very few businesses that need to provide ANY
>internet access to employees while at work. Even ones that need internet
>access only need limited access in almost every case.

You've stated that several times in various articles. It is a
bogus claim which assumes that every business is the same as
yours apparently is. But other businesses have honest,
intelligent and dilligent workers who need to get work done in
the most efficient and effective way possible, which often means
unrestricted access to the Internet.

Despite your bogus claims, before I retired I worked for a
company that believed exactly the opposite of what you say. I
had absolute total access to the Internet, as did virtually
*all* employees. That didn't mean I wasted company time doing
personal business on the Internet. I also had unlimited access
to a telephone with unlimited toll access too. And I had
unlimited access to company mail (USPS) and to a company
vehicle. Typically most emplyees did, and there were very few
abuses.

That was not a small company, and they actually have a senior
managment position in charge of all network security. That
person literally wrote the book on Internet security...

I had always thought he got it pretty much right, yet here you
are saying he was wrong.

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson&gt;
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
Anonymous
a b 8 Security
August 24, 2005 2:25:36 PM

Archived from groups: comp.security.firewalls (More info?)

Nicky <hackeras@gmail.com> wrote:
> So if the malware use some kind of stelath techniques would bypass the
> routers restriction.
> But tell us more please abou the tunneling that cannot be stopped.
> How does the tunneling scenario work?

A classic szenario includes simulating an HTTPS connection, and
tunneling SSH through, and through SSH any other protocols.

http://www.agroman.net/corkscrew/

If HTTPS is not possible, there are several other technics; among
them the wwwsh, which tunnels a simple remote control through HTTP.
Or you could use just this:

http://www.nocrew.org/software/httptunnel.html

A thing, which works, if you have DNS, is DNS tunneling; but it's
very slow and low bandwidth, so one would use that only, if there
are no other choices (mostly there are any). Try NSTX.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 2:27:43 PM

Archived from groups: comp.security.firewalls (More info?)

Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> You have to be able to block outbound
> connections to have any notion of security.

This is not reliably possible. There is tunneling.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 2:30:47 PM

Archived from groups: comp.security.firewalls (More info?)

Renegade <not.v@lid.net> wrote:
> On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:
> Volker, have you considered writing one of those "NAT for Dummies" kind of
> books? This has been the clearest and simplest explanation of how NAT
> routers function that I have seen anywhere.

Thanx! :-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 2:31:44 PM

Archived from groups: comp.security.firewalls (More info?)

Nicky <hackeras@gmail.com> wrote:
> If a packet has a source address i must have come form a host indes the
> network .

No, unfortunately not. The source address can be just a fake.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 2:34:09 PM

Archived from groups: comp.security.firewalls (More info?)

Nicky <hackeras@gmail.com> wrote:
> And how can router be crashed? By what way?

If it does NAT/masquerading, a DoS attack is very easy from inside. Just
exploit the maximum size of the NAT table by flooding with packages opening
a huge number of connections.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 2:34:10 PM

Archived from groups: comp.security.firewalls (More info?)

begin quotation
from Volker Birk <bumens@dingens.org>
in message <430c3101@news.uni-ulm.de>
posted at 2005-08-24T08:34
> Nicky <hackeras@gmail.com> wrote:
>> And how can router be crashed? By what way?

> If it does NAT/masquerading, a DoS attack is very easy from inside. Just
> exploit the maximum size of the NAT table by flooding with packages opening
> a huge number of connections.

There are ways around this. The pf packet filter (part of OpenBSD)
allows you to adaptively tune timeouts as capacity nears the maximum.
For example:

|| set timeout { adaptive.start 6144, adaptive.end 12288 }
|| set limit { states 10240, frags 20480, src-nodes 1536 }

Ignore the frags and src-nodes parameters for the moment. As the number
of states goes over 6144 (60% of the maximum, 10240), the timeouts will
gradually start decreasing for new states, until they reach 1/3 of the
original values when the table is chock full. Properly configured, there
should be no realistic way to fill up the state table and keep it full.

--
___ _ _____ |*|
/ __| |/ / _ \ |*| Shawn K. Quinn
\__ \ ' < (_) | |*| skquinn@speakeasy.net
|___/_|\_\__\_\ |*| Houston, TX, USA
Anonymous
a b 8 Security
August 24, 2005 2:39:14 PM

Archived from groups: comp.security.firewalls (More info?)

In article <11go2gq2n2d2h42@corp.supernews.com>,
smcg4191zz@friizz.RimoovAllZZs.com says...
> But there was one claim that sounded like a serious problem for NAT
> devices if true... They said:
> "[There are hacker tools for...] Exploiting open ports. Once a NAT
> device opens a port by putting it in the NAT table, all traffic destined
> to that port is allowed through to the local computer identified in the
> table. Hackers use automated programs to guess which ports NAT
> has opened, and they keep trying until they get through."
>
> Can anybody point me to some reliable documentation on this?

That's an issue where the NAT box does not have SPI enabled or does not
have a working SPI feature.

While you may think that many of those issues brought up about NAT
devices is FUD and such, to those of us that follow security and design
secure networks for a living, they are not.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 2:42:14 PM

Archived from groups: comp.security.firewalls (More info?)

In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
> Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> > You have to be able to block outbound
> > connections to have any notion of security.
>
> This is not reliably possible. There is tunneling.

When you combine it with a proper amount of public outbound access it
means it's very secure.

If you can't get to residential networks, can't get to anything except
approved websites, then you can't tunnel very easily - and it also means
that you can do DNS as your internal DNS is to your internal DNS server
and the DNS server is the only one permitted outbound, so that means you
can get outbound DNS from your local computer.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 5:06:02 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 21:48:36 GMT, Leythos <void@nowhere.lan> wrote:

>All it takes is the host (inside the network) to contact the hacker site
>for instructions, and you are done.
>
>So, what we mean is that your machine is compromised with something that
>phones-home for instructions - your NAT router, which allows ALL
>outbound does not stop the virus/worm since it's already inside your
>network - it calls home to get more things/instructions and starts
>spreading out over ports 135~139 & 445 since your NAT router doesn't
>block those outbound either (by default).

Any properly setup NAT router should be blocking those ports. Mine does,
and a lot of other unnecessary ports as well.

But all in all, there is a big difference between picking a lock (which
seems to be what the OP was talking about) and somehow convincing the home
owner to slide the key under the door.

No technology can protect a stupid user.

--
MORAL, adj. Conforming to a local and mutable standard of right. Having
the quality of general expediency.

- Ambrose Bierce
Anonymous
a b 8 Security
August 24, 2005 5:19:16 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
> > Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> > > You have to be able to block outbound
> > > connections to have any notion of security.
> > This is not reliably possible. There is tunneling.
> When you combine it with a proper amount of public outbound access it
> means it's very secure.

You're right: when your cutting the network cable with a knife, then
tunneling through this cable does not work any more ;-)

What was the reason to have Internet access? I think, you forgot that.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 5:19:17 PM

Archived from groups: comp.security.firewalls (More info?)

In article <430c57b4@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
> > > Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> > > > You have to be able to block outbound
> > > > connections to have any notion of security.
> > > This is not reliably possible. There is tunneling.
> > When you combine it with a proper amount of public outbound access it
> > means it's very secure.
>
> You're right: when your cutting the network cable with a knife, then
> tunneling through this cable does not work any more ;-)
>
> What was the reason to have Internet access? I think, you forgot that.

Nope, I think you assumed that the internet, from work, should not be
restricted to anyone?

In reality there are very few businesses that need to provide ANY
internet access to employees while at work. Even ones that need internet
access only need limited access in almost every case.

I can easily permit all business functions, all company to company
partner functions, FTP, SSL, HTTP, VPN, SMTP, etc.... All without
allowing unrestricted access to the Internet and will still being able
to provide FULL BUSINESS RELATED ACCESS to those services.

If you're using the Internet at work for non-company reasons you are
stealing time/resources from the company.

Any quality firewall solution would not permit unrestricted outbound
access from workstations - and there would be an Internal DNS and SMTP
server, so you don't need to allow those out from workstations, you
don't need to allow HTTP outbound in most cases, and you can limit them
to the approved HTTP sites for company related business, email goes
through the company email server, so there is no outbound SMTP from
workstations to the public..... Come to think about it, I can't find
many business reason to allow much more than HTTP/HTTPS to approved
sites - even FTP would be limited to approved sites.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 5:20:27 PM

Archived from groups: comp.security.firewalls (More info?)

On 23 Aug 2005 16:01:15 -0700, "Nicky" <hackeras@gmail.com> wrote:

>And how can router be crashed? By what way?
>Even if it gets amounts of packets tryign to break in it would simply
>reject them and only allow those setup in port redirection.

There have been many well-publicized bugs in various vendors NAT firmware
that allowed the device to be crashed. Of course quite often that meant
that there was no traffic at all, and therefore no risk of intrusion. It
was just DOS.

--
Aoccdrnig to a rscheearch at an Elingsh uinervtisy, it deosn't mttaer in
waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the
frist and lsat ltteer is at the rghit pclae. The rset can be a toatl mses
and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do not raed
ervey lteter by it slef but the wrod as a wlohe. ceehiro.
Anonymous
a b 8 Security
August 24, 2005 5:38:48 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 23 Aug 2005 23:48:04 -0600, "Stuart McGraw"
<smcg4191zz@friizz.RimoovAllZZs.com> wrote:

>But there was one claim that sounded like a serious problem for NAT
>devices if true... They said:
>"[There are hacker tools for...] Exploiting open ports. Once a NAT
>device opens a port by putting it in the NAT table, all traffic destined
>to that port is allowed through to the local computer identified in the
>table. Hackers use automated programs to guess which ports NAT
>has opened, and they keep trying until they get through."
>
>Can anybody point me to some reliable documentation on this?

I don't have a link handy. But the basic idea makes sense. However, you
have to ask yourself what ports could a hacker find open? Your browser
opens ports, your email and NNTP clients open ports, etc. Exactly of what
benefit to the hacker is sending a packet to one of those ports?

There has to be a service running that is going to take some presumably
insidious action in response. Then you are getting more into the
possibility of a buggy service.

--
Sooner or later everyone sits down to a banquet of consequences.

- Robert Louis Stevenson
Anonymous
a b 8 Security
August 24, 2005 6:23:19 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> When you combine it with a proper amount of public outbound access it
> means it's very secure.

BTW: this means, not to allow any search engine, like Google or Yahoo.
It means also, blocking i.e. the New York Times, because it has a
Google plugin.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 6:23:20 PM

Archived from groups: comp.security.firewalls (More info?)

In article <430c66b7@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > When you combine it with a proper amount of public outbound access it
> > means it's very secure.
>
> BTW: this means, not to allow any search engine, like Google or Yahoo.
> It means also, blocking i.e. the New York Times, because it has a
> Google plugin.

So, what's your point?

Just how many Accounts need to access Yahoo or Google?

Just how many machine operators need it?

Just how many receptionists need it?

Just how many anyone really needs to be Surfing during business hours?

What part are you missing about Businesses are there for you to WORK,
not to search/play/browse the web in your spare/free/working time.

Also, you could easily allow Yahoo and Google and have no thread of
someone using a tunnel through to those sites to get to their home
computers. Just because you allow Yahoo and Google doesn't mean you have
to allow them access to all the sites in the resulting search or to the
links that are not contained within the sites.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 24, 2005 6:23:21 PM

Archived from groups: comp.security.firewalls (More info?)

In message <MPG.1d7632392a0e3044989cf6@news-server.columbus.rr.com>
Leythos <void@nowhere.lan> wrote:

>In article <430c66b7@news.uni-ulm.de>, bumens@dingens.org says...
>> Leythos <void@nowhere.lan> wrote:
>> > When you combine it with a proper amount of public outbound access it
>> > means it's very secure.
>>
>> BTW: this means, not to allow any search engine, like Google or Yahoo.
>> It means also, blocking i.e. the New York Times, because it has a
>> Google plugin.
>
>So, what's your point?
>
>Just how many Accounts need to access Yahoo or Google?
>
>Just how many machine operators need it?
>
>Just how many receptionists need it?

Any ones that have ever had a CEO scribble an address and say "Rush
courier this within the next 3 hours or it will cost the company 5
million dollars" and walk into a shareholders meeting for the next 4
hours.

The courier shows up, can't read the address, and the receptionist now
needs to verify the address, otherwise the courier won't accept the
package.

Is that a 0, a 6 or an 8? Check on Google, find the company, it's an
"8" -- Or find a phone number and call their office.

<snip>

--
Warning Dates in Calendar are closer than they appear.
Anonymous
a b 8 Security
August 24, 2005 6:42:48 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> Nope, I think you assumed that the internet, from work, should not be
> restricted to anyone?

Yes, for the companies I'm managing, I think so. Of course, I don't
want anybody else to decide equal. Everybody has to do what she/he
finds best.

> I can't find
> many business reason to allow much more than HTTP/HTTPS to approved
> sites

Poor people, who only can use caponized network access. Poor businesses,
who soon will fall back behind the competition, because they have
no media literacy, and the stuff cannot see, what's going on in the
world.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 7:50:46 PM

Archived from groups: comp.security.firewalls (More info?)

CyberDroog <CyberDroog@clockworkorange.com> wrote:
> However, you
> have to ask yourself what ports could a hacker find open?

Spoofed DNS datagrams are an interesting thing, for example.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 8:20:30 PM

Archived from groups: comp.security.firewalls (More info?)

Shawn K. Quinn <skquinn@speakeasy.net> wrote:
> > If it does NAT/masquerading, a DoS attack is very easy from inside. Just
> > exploit the maximum size of the NAT table by flooding with packages opening
> > a huge number of connections.
> There are ways around this. The pf packet filter (part of OpenBSD)
> allows you to adaptively tune timeouts as capacity nears the maximum.

With a proper timing in flooding, it should be possible to make
new connections impossible anyway.

And: how many NAT implementations beside OpenBSD have that feature?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
a b 8 Security
August 24, 2005 9:44:16 PM

Archived from groups: comp.security.firewalls (More info?)

On 24 Aug 2005 13:19:16 +0200, Volker Birk <bumens@dingens.org> wrote:

>You're right: when your cutting the network cable with a knife, then
>tunneling through this cable does not work any more ;-)

Ah, now that is fun stuff. I've done that on more than one occasion. One
time a user had wiped out his system, installed a beta version of Windows
2k3 Server, and set up DHCP (in conflict with the LAN servers, of course.)
Why? Because he was a "power user" and likes to learn about this stuff.

I yanked as much slack as I could in the cat5 cable leading to the wall
socket and cut the line. I left the socket half hanging off the wall with
a note saying he was on the list for repairs. Amazingly, he was actually
fired.

Some IT managers don't care for those kinds of tactics. But sometimes one
has to relieve the stress.

--
As I grow older, I pay less attention to what men say. I just watch what
they do.

- Andrew Carnegie
Anonymous
a b 8 Security
August 24, 2005 9:50:37 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 24 Aug 2005 11:56:20 GMT, Leythos <void@nowhere.lan> wrote:

>Any quality firewall solution would not permit unrestricted outbound
>access from workstations - and there would be an Internal DNS and SMTP
>server, so you don't need to allow those out from workstations, you
>don't need to allow HTTP outbound in most cases, and you can limit them
>to the approved HTTP sites for company related business, email goes
>through the company email server, so there is no outbound SMTP from
>workstations to the public..... Come to think about it, I can't find
>many business reason to allow much more than HTTP/HTTPS to approved
>sites - even FTP would be limited to approved sites.

You're completely right, of course. I still can't fathom why so many
companies don't care for any such restrictions. Yet the management will be
the first to complain when they find countless copies of an 80 MB video of
penguins slipping on the ice bouncing around the email server. But then,
they almost never want to fire the blue-haired old bat who brought the
thing in and decided to share it with everyone.

Go figure.

--
"Don't you see that the whole aim of Newspeak is to narrow the range of
thought? In the end we shall make thoughtcrime literally impossible,
because there will be no words in which to express it."

- George Orwell as Syme in "1984"
Anonymous
a b 8 Security
August 24, 2005 9:53:50 PM

Archived from groups: comp.security.firewalls (More info?)

> Despite your bogus claims, before I retired I worked for a
> company that believed exactly the opposite of what you say.

That's all I needed to know and I'll bet I am right on the money about you
up there in Alaska. You don't have anything else to do. :) 

Duane :) 
Anonymous
a b 8 Security
August 24, 2005 9:56:11 PM

Archived from groups: comp.security.firewalls (More info?)

On 24 Aug 2005 14:42:48 +0200, Volker Birk <bumens@dingens.org> wrote:

>Leythos <void@nowhere.lan> wrote:
>
>> I can't find
>> many business reason to allow much more than HTTP/HTTPS to approved
>> sites
>
>Poor people, who only can use caponized network access. Poor businesses,
>who soon will fall back behind the competition, because they have
>no media literacy, and the stuff cannot see, what's going on in the
>world.

As opposed to all of those successful and productive businesses who allow
all of their employees to sit around reading The New York Times online all
day. Or keep tabs on their ebay bids or sales. Or do all of their
Christmas shopping.

--
OVERWORK, n. A dangerous disorder affecting high public functionaries who
want to go fishing.

- Ambrose Bierce
Anonymous
a b 8 Security
August 24, 2005 10:10:02 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
>In article <878xyrb7yp.fld@barrow.com>, floyd@apaflo.com says...
>> Leythos <void@nowhere.lan> wrote:
>> >In reality there are very few businesses that need to provide ANY
>> >internet access to employees while at work. Even ones that need internet
>> >access only need limited access in almost every case.
>>
>> You've stated that several times in various articles. It is a
>> bogus claim which assumes that every business is the same as
>> yours apparently is. But other businesses have honest,
>> intelligent and dilligent workers who need to get work done in
>> the most efficient and effective way possible, which often means
>> unrestricted access to the Internet.
>
>I don't believe that for one instant - I've done support for more than a
>hundred corporations in the last 5 years, many government groups, and
>I've never seen one company (or learned about one) that required all of
>it's employees to have complete, open, unrestricted, internet access.

Nobody said "required", though that is the practical effect. Regardless,
I just mentioned one such company. I'm not sure if *all* employees
need Internet access, but I certainly was not aware of any that didn't.

>Sure, there are groups in companies that are give it, but the majority
>of employees in most companies don't need it to do their jobs.
>
>Prove me wrong, list 5 companies we can check to see that everyone in
>them needs full, unrestricted, open, access to the Internet - 5
>companies with more than 50 employees.
>
>I await your list.

I don't need to list 5. Just one. And as I noted, that company
is large enough to have a senior management position for Network
Security, filled at the time by a person who literally wrote the
book.

Are you claiming that their head of Network Security was not as
competent as you? The idea is hilarious!

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson&gt;
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
Anonymous
a b 8 Security
August 25, 2005 12:18:38 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 24 Aug 2005 08:44:30 -0800, floyd@apaflo.com (Floyd L. Davidson)
wrote:

>Leythos <void@nowhere.lan> wrote:
>>Nope, I think you assumed that the internet, from work, should not be
>>restricted to anyone?
>>
>Despite your bogus claims, before I retired I worked for a
>company that believed exactly the opposite of what you say. I
>had absolute total access to the Internet, as did virtually
>*all* employees. That didn't mean I wasted company time doing
>personal business on the Internet. I also had unlimited access
>to a telephone with unlimited toll access too. And I had
>unlimited access to company mail (USPS) and to a company
>vehicle. Typically most emplyees did, and there were very few
>abuses.

Your supposed experience is quite different from the norm according to
studies. For instance, and keep in mind that this is on top of the time
people normally waste chatting with co-workers:

http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2005/0...

They pegged the average of wasted time at 2.09 hours per day per employee,
(not counting lunch) frittering away the time on the net.

Or:
http://www.cyberguard.com/products/firewall/SG_Family/U...

30 to 40% of Internet surfing during work hours is not business related.

As much as 70% of a company's bandwidth is being consumed by non-productive
pursuits.

68% of all Internet pornography traffic occurs during the 9-to-5 workday.


--
There are indeed a great many more things in life than money; and it is
money that gives us access to most of them.

- Terry Eagleton
Anonymous
a b 8 Security
August 25, 2005 4:23:02 AM

Archived from groups: comp.security.firewalls (More info?)

In article <430c6b48@news.uni-ulm.de>, bumens@dingens.org says...
> > I can't find
> > many business reason to allow much more than HTTP/HTTPS to approved
> > sites
>
> Poor people, who only can use caponized network access. Poor businesses,
> who soon will fall back behind the competition, because they have
> no media literacy, and the stuff cannot see, what's going on in the
> world.

Funny, I don't see any reason for the majority of people to have
Internet access at work, in fact, about the only people that need Web
access is the managers, department heads, and higher levels in order to
maintain a feel of the economy. I'm not talking about blocking the
world, just only allowing approved site.

There would be no reason to allow moveon.org from any business unless it
was political. Same for many other sites - so, you can see that most web
access is not needed for most employees at most companies.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 25, 2005 4:24:43 AM

Archived from groups: comp.security.firewalls (More info?)

In article <430c6e14@news.uni-ulm.de>, bumens@dingens.org says...
> With Google cache i.e., you cannot deny that people are seeing what
> you don't want them to see. This is one way.
>
> For example, http://validator.w3.org/ i.e. works two way. It should be
> easy to build an IP tunnel with it ;-)
>
> I hope for your users, that they will find many creative ways to tunnel
> through your "firewalls".
>
> Hm... did you think about mail tunneling also? Or is it allowed to
> send E-Mail to fixed addresses only? :-P And: are you sure, that there
> nobody will have a tunnel gateway to the free network?

Email is from an internal server only - why would you want to allow
employees to access any external email service? Since they have to send
through the company server, since the company server is the only
outbound SMTP, there isn't much they are going to do to tunnel.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 25, 2005 4:27:23 AM

Archived from groups: comp.security.firewalls (More info?)

In article <vurog1le0qdfaiadr3t5p3f46aroeraa2m@news.easynews.com>,
CyberDroog@ClockworkOrange.com says...
> On Tue, 23 Aug 2005 21:48:36 GMT, Leythos <void@nowhere.lan> wrote:
>
> >All it takes is the host (inside the network) to contact the hacker site
> >for instructions, and you are done.
> >
> >So, what we mean is that your machine is compromised with something that
> >phones-home for instructions - your NAT router, which allows ALL
> >outbound does not stop the virus/worm since it's already inside your
> >network - it calls home to get more things/instructions and starts
> >spreading out over ports 135~139 & 445 since your NAT router doesn't
> >block those outbound either (by default).
>
> Any properly setup NAT router should be blocking those ports. Mine does,
> and a lot of other unnecessary ports as well.

But NAT routers don't block those OUTBOUND by default, sure they block
it inbound, but they don't do anything about it outbound.
--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
August 25, 2005 4:30:13 AM

Archived from groups: comp.security.firewalls (More info?)

In article <p7sog1l3367jbsgaf78etrm0905jaji71i@news.easynews.com>,
CyberDroog@ClockworkOrange.com says...
> But a simple NAT router *is* such a firewall. It's
> just of very low quality and the vendor leaves it to you to not hand
> someone else the keys.

Sorry, but NAT is not just a low quality firewall - you seem to think
that devices can be sort-of, maybe, almost, firewalls - well, they
can't, they are either a firewall or not. All the fancy features that
firewalls use to differentiate them from each other don't mean anything
if the device is not a firewall.

NAT boxes, unless they meet certain requirements, are not firewalls.
This does not mean that firewalls can't also offer NAT, but NAT alone
does not make the device a firewall.

--

spam999free@rrohio.com
remove 999 in order to email me
      • 1 / 3
      • 2
      • 3
      • Newest
!