NAT is not a mechanism for securing a network.. but.. HELP!

Archived from groups: comp.security.firewalls (More info?)

Hi all!
First of all I have to say "sorry" for my english.. that sometimes is not
very good.. (I write from italy..)
A question:
I often have to speak with some clients about security (I'm not a
specialist..) ...yesterday a person told me that an ADSL router with a NAT
for separate his private network to public network is a "good" solution for
his security... I know.. that this is a "wrong sentence" :-)... but... I can
I demostrate the opposite? how can I by-pass a router? it is possible.... I
suppose... any suggestions??
thanks

smax371@hotmail.com
149 answers Last reply
More about mechanism securing network help
  1. Archived from groups: comp.security.firewalls (More info?)

    But how is this possible?!?! :-)

    I mean if you have set up NO port redirection on your router how can
    any probe of any kind manage to pass through the router?!?

    And also you said that on the host that SQL server was running all
    ports were closed as well!
  2. Archived from groups: comp.security.firewalls (More info?)

    Well yes, but i was talking that how the probe could manage to be
    inserted to the lan through the router considering that the probe
    atatck was the one that initiated the connection to the router and not
    coming back as a replay to a previous internal infected host request.

    Of couse what you descbire its true and it works no matter if the routr
    is port forwarding or not.
  3. Archived from groups: comp.security.firewalls (More info?)

    So if the malware use some kind of stelath techniques would bypass the
    routers restriction.

    But tell us more please abou the tunneling that cannot be stopped.
    How does the tunneling scenario work?
  4. Archived from groups: comp.security.firewalls (More info?)

    speeder wrote:

    > OTOH, crashing a router is a much "simpler" thing to do depending on
    > the router and your resources. And who can guarantee that a crashed
    > router will continue to block outside connections? Doubtful but
    > possible.


    And how can router be crashed? By what way?
    Even if it gets amounts of packets tryign to break in it would simply
    reject them and only allow those setup in port redirection.
  5. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:

    > Most NAT implementations have some weaknesses. First, usually a packet,
    > which has a source address, which seems to come from inside the network,
    > is accepted and routed inside.

    Whats do you mean by that?
    If a packet has a source address i must have come form a host indes the
    network .
    How otherwise. if it came form outside then it wouldnt have a source
    address of type 10.0.0.x

    > NAT routers with sensible filtering usually provide a high level of
    > security. The security then comes from filtering, not from NAT. This
    > ist not a design flaw:
    >
    > Masquerading with NAT never was meant to provide security - it was
    > developed in the times, where people were getting short of IP adresses,
    > to provide a solution for having more devices than "real" addresses
    > in the Internet.

    Yes, very turue but by its nature it provides as asideeffect soem means
    of security since it hides all hosts on the lan behind 1 single public
    ip address :-)
  6. Archived from groups: comp.security.firewalls (More info?)

    In article <KNJOe.27469$HM1.791654@twister1.libero.it>, smax371
    @hotmail.com says...
    > Hi all!
    > First of all I have to say "sorry" for my english.. that sometimes is not
    > very good.. (I write from italy..)
    > A question:
    > I often have to speak with some clients about security (I'm not a
    > specialist..) ...yesterday a person told me that an ADSL router with a NAT
    > for separate his private network to public network is a "good" solution for
    > his security... I know.. that this is a "wrong sentence" :-)... but... I can
    > I demostrate the opposite? how can I by-pass a router? it is possible.... I
    > suppose... any suggestions??
    > thanks

    NAT is only a simple means of blocking unsolicited inbound connections.
    That means that there is no outbound limitation.

    NAT is a good for protecting home users networks from uninvited inbound
    connections which is a reasonable thing for home users.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  7. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 23 Aug 2005 18:20:26 GMT, "Smax" <smax371@hotmail.com> wrote:

    >Hi all!
    >First of all I have to say "sorry" for my english.. that sometimes is not
    >very good.. (I write from italy..)
    >A question:
    >I often have to speak with some clients about security (I'm not a
    >specialist..) ...yesterday a person told me that an ADSL router with a NAT
    >for separate his private network to public network is a "good" solution for
    >his security... I know.. that this is a "wrong sentence" :-)... but... I can
    >I demostrate the opposite? how can I by-pass a router? it is possible.... I
    >suppose... any suggestions??
    >thanks

    The reason why a NAT router is not a "good" solution has nothing to do
    with the possibility of bypassing it. It is not a "good" solution
    because there are *many* attacks that originate from action inside the
    internal network. Executing a virus/trojan application, allowing
    websites to install/run applications, entering information in
    webforms, running unsecured wireless setups, .... The list goes on and
    on and a NAT router will do nothing against those.

    Bypassing a router, in the sense of making it transparent so you can
    freely connect to services on the LAN side, by solely manipulating
    packets and flags is not an easy task. You'd have more chances trying
    to access it's remote configuration feature (*if* you were lucky it's
    enabled) and brute force the password with a dictionary attack of some
    kind (double lucky!). That's the only feasible scenario I can think of
    but very unlikely, even for home users.

    OTOH, crashing a router is a much "simpler" thing to do depending on
    the router and your resources. And who can guarantee that a crashed
    router will continue to block outside connections? Doubtful but
    possible.
  8. Archived from groups: comp.security.firewalls (More info?)

    "Smax" <smax371@hotmail.com> wrote in
    news:KNJOe.27469$HM1.791654@twister1.libero.it:

    > Hi all!
    > First of all I have to say "sorry" for my english.. that sometimes is
    > not very good.. (I write from italy..)
    > A question:
    > I often have to speak with some clients about security (I'm not a
    > specialist..) ...yesterday a person told me that an ADSL router with a
    > NAT for separate his private network to public network is a "good"
    > solution for his security... I know.. that this is a "wrong sentence"
    > :-)... but... I can I demostrate the opposite? how can I by-pass a
    > router? it is possible.... I suppose... any suggestions??
    > thanks
    >
    > smax371@hotmail.com
    >
    >
    >
    >

    All you have to do is write a program a listening server program and
    install it on the computer behind the router. Then you write a client
    program and install it on a remote/Internet computer and have the server
    program send outbound traffic to the remote IP making contact with the
    remote client program. The NAT router (most NAT routers for home usage)
    is not going to be able to stop the contact or traffic by setting rules
    to stop the traffic.

    Most NAT routers stop unsolicited inbound traffic by not forwarding the
    traffic to the LAN behind the router. Yes, a NAT router has two
    interfaces the WAN/Internet network interface the NAT router is
    protecting from and LAN interface the network it's protecting.

    A device such as a NAT router that is also running network FW software
    would be able to stop inbound and outbound traffic by setting filtering
    rules to stop the traffic by port, protocol, IP or packet attribute/
    state.

    As an example, you could install Gibson's *Leaktest* program on a machine
    and allow it to phone home and see of the NAT router can stop the traffic
    inbound or outbound by setting filtering rules to stop the outbound from
    the LAN/IP/machine behind the router to the remote/Internet/IP or stop
    inbound from the remote/Internet/IP.

    The NAT router separates two networks usually the Internet and the LAN
    behind the router and NAT provides a limited means of protecting the LAN
    by not forwarding unsolicited inbound request. But NAT is not FW software
    where one can set filtering rules to control traffic. Also, most NAT
    routers for home usage don't provide traffic logging so one could see if
    dubious inbound or outbound traffic to a remote IP was even happening.

    So if malware was to be installed on a machine behind the NAT router and
    started phoning home, most NAT routers are not going to be to stop the
    malware and Leaktest will show you that. A router running network FW
    software would be able to stop the traffic.

    However, a NAT router is a good first line of defense for the home user.

    Duane :)
  9. Archived from groups: comp.security.firewalls (More info?)

    CyberDroog <CyberDroog@ClockworkOrange.com> wrote in
    news:jlumg11fep6415tlo5t74a841vmcodjme1@news.easynews.com:

    >
    > All you have to do is write and install a program *behind* the router?
    > That isn't exactly a straight-forward answer to the question of how to
    > *by-pass* a router.

    Is it or is it not away of bypassing the protection of the router?

    You got a better way of directly attacking a NAT router, then let's see. :)

    Duane :)
  10. Archived from groups: comp.security.firewalls (More info?)

    Oh, I am sure there are other ways of attacking a NAT router. I am not up
    to speed on that as I am not one who would do such a thing in the first
    place. I can certainly verify that they can be attacked. At least my old
    Linksys NAT router was attacked as probes came through it at SQL Server
    running on the machine with all ports closed by default with no port
    forwarding or nothing on the router, like a hot knife through butter.


    Duane :)
  11. Archived from groups: comp.security.firewalls (More info?)

    "Nicky" <hackeras@gmail.com> wrote in message
    news:1124832068.019507.164860@g44g2000cwa.googlegroups.com...
    > But how is this possible?!?! :-)
    >
    > I mean if you have set up NO port redirection on your router how can
    > any probe of any kind manage to pass through the router?!?
    >
    > And also you said that on the host that SQL server was running all
    > ports were closed as well!

    Well the firmware for the 11S4 router has no FW like software like SPI so it
    wasn't and is not doing packet inspection. The packets could be spoofed and
    bogus packets slipped in I guess. I read an article Watchguard put out
    awhile back about how NAT routers can be attacked. You should be able to
    find such information on with Google. The machine that is running SQL Server
    is up 24/7 365 and what altered me to the situation was BlackIce at the
    time when I was using BI with it set properly out of its auto settings to
    supplement the NAT router when Linksys removed SPI from the firmware for all
    BEFW11S4 version routers.

    Duane :)
  12. Archived from groups: comp.security.firewalls (More info?)

    In article <1124832068.019507.164860@g44g2000cwa.googlegroups.com>,
    hackeras@gmail.com says...
    > But how is this possible?!?! :-)
    >
    > I mean if you have set up NO port redirection on your router how can
    > any probe of any kind manage to pass through the router?!?
    >
    > And also you said that on the host that SQL server was running all
    > ports were closed as well!

    All it takes is the host (inside the network) to contact the hacker site
    for instructions, and you are done.

    So, what we mean is that your machine is compromised with something that
    phones-home for instructions - your NAT router, which allows ALL
    outbound does not stop the virus/worm since it's already inside your
    network - it calls home to get more things/instructions and starts
    spreading out over ports 135~139 & 445 since your NAT router doesn't
    block those outbound either (by default).

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  13. Archived from groups: comp.security.firewalls (More info?)

    In article <1124836347.367236.287320@o13g2000cwo.googlegroups.com>,
    hackeras@gmail.com says...
    > Well yes, but i was talking that how the probe could manage to be
    > inserted to the lan through the router considering that the probe
    > atatck was the one that initiated the connection to the router and not
    > coming back as a replay to a previous internal infected host request.
    >
    > Of couse what you descbire its true and it works no matter if the routr
    > is port forwarding or not.

    Not it doesn't work always - as a simple rule, when I setup NAT Routers,
    the cheap ones that pretend to be firewalls, I block outbound to
    destination ports 135 through 139, 445, 1433, 1434.

    While this helps the chatter, it can also keep some viruses from
    spreading outside your network to the Internet.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  14. Archived from groups: comp.security.firewalls (More info?)

    In article <1124838075.026460.272410@f14g2000cwb.googlegroups.com>,
    hackeras@gmail.com says...
    > And how can router be crashed? By what way?
    > Even if it gets amounts of packets tryign to break in it would simply
    > reject them and only allow those setup in port redirection.

    You might want to search google for that one - isn't not so much that it
    can be done, it's what state is the forwarding/routing left in when it
    does fault.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  15. Archived from groups: comp.security.firewalls (More info?)

    Smax <smax371@hotmail.com> wrote:
    > I often have to speak with some clients about security (I'm not a
    > specialist..) ...yesterday a person told me that an ADSL router with a NAT
    > for separate his private network to public network is a "good" solution for
    > his security... I know.. that this is a "wrong sentence" :-)... but... I can
    > I demostrate the opposite? how can I by-pass a router? it is possible.... I
    > suppose... any suggestions??

    Most NAT implementations have some weaknesses. First, usually a packet,
    which has a source address, which seems to come from inside the network,
    is accepted and routed inside.

    This is, why one wants to filter such packages on NAT boxes.

    Additionally, usually NAT implementations have some state machines or
    even heuristics for tracking protocols, which are not just simply NATable.
    Frequent examples for this are FTP, connectionless or encrypted protocols.

    (to clarify: I mean masquerading with NAT here)

    This often results in attacking vectors, how to fake a connection wich
    does not exist, and how to insert packages, which are accepted and
    routed inside.

    NAT routers with sensible filtering usually provide a high level of
    security. The security then comes from filtering, not from NAT. This
    ist not a design flaw:

    Masquerading with NAT never was meant to provide security - it was
    developed in the times, where people were getting short of IP adresses,
    to provide a solution for having more devices than "real" addresses
    in the Internet.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  16. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:

    Volker, have you considered writing one of those "NAT for Dummies" kind of
    books? This has been the clearest and simplest explanation of how NAT
    routers function that I have seen anywhere.
  17. Archived from groups: comp.security.firewalls (More info?)

    In article <1124838620.861297.91990@g44g2000cwa.googlegroups.com>,
    hackeras@gmail.com says...
    > Yes, very turue but by its nature it provides as asideeffect soem means
    > of security since it hides all hosts on the lan behind 1 single public
    > ip address :-)

    You mistakenly believe that security is some how related to a normal
    network function of routing. In the case of NAT, it could be a 1:1 NAT
    which would not provide any protection, a 1:MANY NAT, or a MANY to MANY
    NAT.....

    NAT is not a security means/method, it's a routing method that appears
    to have some partial security benefits.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  18. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    > NAT is not a security means/method, it's a routing method that appears
    > to have some partial security benefits.

    Well, thats what i said in other words. :-)
    NAT provides some simple means of security as a *sideffect* considering
    that its true nature by design was to solve the shortage of ip problem
    and not security.
  19. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > Nicky <hackeras@gmail.com> wrote:
    > > And how can router be crashed? By what way?
    >
    > If it does NAT/masquerading, a DoS attack is very easy from inside. Just
    > exploit the maximum size of the NAT table by flooding with packages opening
    > a huge number of connections.

    Yes but in order to crash it this way you must attack it from the
    inside.
    But how youy will be able to do that from the inside?
    Yiu must somwhow infect an internal host to do that and that means you
    have to pass from the router first somehow.

    And also i would like to ask if a router gets crushes what does that
    mean?
    Thats it stops responding and therefore stop blocking unsolicited
    inbound connections so one could slip in?
  20. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.lan> wrote:
    >Nope, I think you assumed that the internet, from work, should not be
    >restricted to anyone?
    >
    >In reality there are very few businesses that need to provide ANY
    >internet access to employees while at work. Even ones that need internet
    >access only need limited access in almost every case.

    You've stated that several times in various articles. It is a
    bogus claim which assumes that every business is the same as
    yours apparently is. But other businesses have honest,
    intelligent and dilligent workers who need to get work done in
    the most efficient and effective way possible, which often means
    unrestricted access to the Internet.

    Despite your bogus claims, before I retired I worked for a
    company that believed exactly the opposite of what you say. I
    had absolute total access to the Internet, as did virtually
    *all* employees. That didn't mean I wasted company time doing
    personal business on the Internet. I also had unlimited access
    to a telephone with unlimited toll access too. And I had
    unlimited access to company mail (USPS) and to a company
    vehicle. Typically most emplyees did, and there were very few
    abuses.

    That was not a small company, and they actually have a senior
    managment position in charge of all network security. That
    person literally wrote the book on Internet security...

    I had always thought he got it pretty much right, yet here you
    are saying he was wrong.

    --
    Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
    Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
  21. Archived from groups: comp.security.firewalls (More info?)

    Nicky <hackeras@gmail.com> wrote:
    > So if the malware use some kind of stelath techniques would bypass the
    > routers restriction.
    > But tell us more please abou the tunneling that cannot be stopped.
    > How does the tunneling scenario work?

    A classic szenario includes simulating an HTTPS connection, and
    tunneling SSH through, and through SSH any other protocols.

    http://www.agroman.net/corkscrew/

    If HTTPS is not possible, there are several other technics; among
    them the wwwsh, which tunnels a simple remote control through HTTP.
    Or you could use just this:

    http://www.nocrew.org/software/httptunnel.html

    A thing, which works, if you have DNS, is DNS tunneling; but it's
    very slow and low bandwidth, so one would use that only, if there
    are no other choices (mostly there are any). Try NSTX.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  22. Archived from groups: comp.security.firewalls (More info?)

    Shawn K. Quinn <skquinn@speakeasy.net> wrote:
    > You have to be able to block outbound
    > connections to have any notion of security.

    This is not reliably possible. There is tunneling.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  23. Archived from groups: comp.security.firewalls (More info?)

    Renegade <not.v@lid.net> wrote:
    > On Tue, 23 Aug 2005 23:08:03 +0200, Volker Birk wrote:
    > Volker, have you considered writing one of those "NAT for Dummies" kind of
    > books? This has been the clearest and simplest explanation of how NAT
    > routers function that I have seen anywhere.

    Thanx! :-)

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  24. Archived from groups: comp.security.firewalls (More info?)

    Nicky <hackeras@gmail.com> wrote:
    > If a packet has a source address i must have come form a host indes the
    > network .

    No, unfortunately not. The source address can be just a fake.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  25. Archived from groups: comp.security.firewalls (More info?)

    Nicky <hackeras@gmail.com> wrote:
    > And how can router be crashed? By what way?

    If it does NAT/masquerading, a DoS attack is very easy from inside. Just
    exploit the maximum size of the NAT table by flooding with packages opening
    a huge number of connections.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  26. Archived from groups: comp.security.firewalls (More info?)

    begin quotation
    from Volker Birk <bumens@dingens.org>
    in message <430c3101@news.uni-ulm.de>
    posted at 2005-08-24T08:34
    > Nicky <hackeras@gmail.com> wrote:
    >> And how can router be crashed? By what way?

    > If it does NAT/masquerading, a DoS attack is very easy from inside. Just
    > exploit the maximum size of the NAT table by flooding with packages opening
    > a huge number of connections.

    There are ways around this. The pf packet filter (part of OpenBSD)
    allows you to adaptively tune timeouts as capacity nears the maximum.
    For example:

    || set timeout { adaptive.start 6144, adaptive.end 12288 }
    || set limit { states 10240, frags 20480, src-nodes 1536 }

    Ignore the frags and src-nodes parameters for the moment. As the number
    of states goes over 6144 (60% of the maximum, 10240), the timeouts will
    gradually start decreasing for new states, until they reach 1/3 of the
    original values when the table is chock full. Properly configured, there
    should be no realistic way to fill up the state table and keep it full.

    --
    ___ _ _____ |*|
    / __| |/ / _ \ |*| Shawn K. Quinn
    \__ \ ' < (_) | |*| skquinn@speakeasy.net
    |___/_|\_\__\_\ |*| Houston, TX, USA
  27. Archived from groups: comp.security.firewalls (More info?)

    In article <11go2gq2n2d2h42@corp.supernews.com>,
    smcg4191zz@friizz.RimoovAllZZs.com says...
    > But there was one claim that sounded like a serious problem for NAT
    > devices if true... They said:
    > "[There are hacker tools for...] Exploiting open ports. Once a NAT
    > device opens a port by putting it in the NAT table, all traffic destined
    > to that port is allowed through to the local computer identified in the
    > table. Hackers use automated programs to guess which ports NAT
    > has opened, and they keep trying until they get through."
    >
    > Can anybody point me to some reliable documentation on this?

    That's an issue where the NAT box does not have SPI enabled or does not
    have a working SPI feature.

    While you may think that many of those issues brought up about NAT
    devices is FUD and such, to those of us that follow security and design
    secure networks for a living, they are not.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  28. Archived from groups: comp.security.firewalls (More info?)

    In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
    > Shawn K. Quinn <skquinn@speakeasy.net> wrote:
    > > You have to be able to block outbound
    > > connections to have any notion of security.
    >
    > This is not reliably possible. There is tunneling.

    When you combine it with a proper amount of public outbound access it
    means it's very secure.

    If you can't get to residential networks, can't get to anything except
    approved websites, then you can't tunnel very easily - and it also means
    that you can do DNS as your internal DNS is to your internal DNS server
    and the DNS server is the only one permitted outbound, so that means you
    can get outbound DNS from your local computer.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  29. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 23 Aug 2005 21:48:36 GMT, Leythos <void@nowhere.lan> wrote:

    >All it takes is the host (inside the network) to contact the hacker site
    >for instructions, and you are done.
    >
    >So, what we mean is that your machine is compromised with something that
    >phones-home for instructions - your NAT router, which allows ALL
    >outbound does not stop the virus/worm since it's already inside your
    >network - it calls home to get more things/instructions and starts
    >spreading out over ports 135~139 & 445 since your NAT router doesn't
    >block those outbound either (by default).

    Any properly setup NAT router should be blocking those ports. Mine does,
    and a lot of other unnecessary ports as well.

    But all in all, there is a big difference between picking a lock (which
    seems to be what the OP was talking about) and somehow convincing the home
    owner to slide the key under the door.

    No technology can protect a stupid user.

    --
    MORAL, adj. Conforming to a local and mutable standard of right. Having
    the quality of general expediency.

    - Ambrose Bierce
  30. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.lan> wrote:
    > In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
    > > Shawn K. Quinn <skquinn@speakeasy.net> wrote:
    > > > You have to be able to block outbound
    > > > connections to have any notion of security.
    > > This is not reliably possible. There is tunneling.
    > When you combine it with a proper amount of public outbound access it
    > means it's very secure.

    You're right: when your cutting the network cable with a knife, then
    tunneling through this cable does not work any more ;-)

    What was the reason to have Internet access? I think, you forgot that.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  31. Archived from groups: comp.security.firewalls (More info?)

    In article <430c57b4@news.uni-ulm.de>, bumens@dingens.org says...
    > Leythos <void@nowhere.lan> wrote:
    > > In article <430c2f7f@news.uni-ulm.de>, bumens@dingens.org says...
    > > > Shawn K. Quinn <skquinn@speakeasy.net> wrote:
    > > > > You have to be able to block outbound
    > > > > connections to have any notion of security.
    > > > This is not reliably possible. There is tunneling.
    > > When you combine it with a proper amount of public outbound access it
    > > means it's very secure.
    >
    > You're right: when your cutting the network cable with a knife, then
    > tunneling through this cable does not work any more ;-)
    >
    > What was the reason to have Internet access? I think, you forgot that.

    Nope, I think you assumed that the internet, from work, should not be
    restricted to anyone?

    In reality there are very few businesses that need to provide ANY
    internet access to employees while at work. Even ones that need internet
    access only need limited access in almost every case.

    I can easily permit all business functions, all company to company
    partner functions, FTP, SSL, HTTP, VPN, SMTP, etc.... All without
    allowing unrestricted access to the Internet and will still being able
    to provide FULL BUSINESS RELATED ACCESS to those services.

    If you're using the Internet at work for non-company reasons you are
    stealing time/resources from the company.

    Any quality firewall solution would not permit unrestricted outbound
    access from workstations - and there would be an Internal DNS and SMTP
    server, so you don't need to allow those out from workstations, you
    don't need to allow HTTP outbound in most cases, and you can limit them
    to the approved HTTP sites for company related business, email goes
    through the company email server, so there is no outbound SMTP from
    workstations to the public..... Come to think about it, I can't find
    many business reason to allow much more than HTTP/HTTPS to approved
    sites - even FTP would be limited to approved sites.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  32. Archived from groups: comp.security.firewalls (More info?)

    On 23 Aug 2005 16:01:15 -0700, "Nicky" <hackeras@gmail.com> wrote:

    >And how can router be crashed? By what way?
    >Even if it gets amounts of packets tryign to break in it would simply
    >reject them and only allow those setup in port redirection.

    There have been many well-publicized bugs in various vendors NAT firmware
    that allowed the device to be crashed. Of course quite often that meant
    that there was no traffic at all, and therefore no risk of intrusion. It
    was just DOS.

    --
    Aoccdrnig to a rscheearch at an Elingsh uinervtisy, it deosn't mttaer in
    waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the
    frist and lsat ltteer is at the rghit pclae. The rset can be a toatl mses
    and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do not raed
    ervey lteter by it slef but the wrod as a wlohe. ceehiro.
  33. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 23 Aug 2005 23:48:04 -0600, "Stuart McGraw"
    <smcg4191zz@friizz.RimoovAllZZs.com> wrote:

    >But there was one claim that sounded like a serious problem for NAT
    >devices if true... They said:
    >"[There are hacker tools for...] Exploiting open ports. Once a NAT
    >device opens a port by putting it in the NAT table, all traffic destined
    >to that port is allowed through to the local computer identified in the
    >table. Hackers use automated programs to guess which ports NAT
    >has opened, and they keep trying until they get through."
    >
    >Can anybody point me to some reliable documentation on this?

    I don't have a link handy. But the basic idea makes sense. However, you
    have to ask yourself what ports could a hacker find open? Your browser
    opens ports, your email and NNTP clients open ports, etc. Exactly of what
    benefit to the hacker is sending a packet to one of those ports?

    There has to be a service running that is going to take some presumably
    insidious action in response. Then you are getting more into the
    possibility of a buggy service.

    --
    Sooner or later everyone sits down to a banquet of consequences.

    - Robert Louis Stevenson
  34. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.lan> wrote:
    > When you combine it with a proper amount of public outbound access it
    > means it's very secure.

    BTW: this means, not to allow any search engine, like Google or Yahoo.
    It means also, blocking i.e. the New York Times, because it has a
    Google plugin.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  35. Archived from groups: comp.security.firewalls (More info?)

    In article <430c66b7@news.uni-ulm.de>, bumens@dingens.org says...
    > Leythos <void@nowhere.lan> wrote:
    > > When you combine it with a proper amount of public outbound access it
    > > means it's very secure.
    >
    > BTW: this means, not to allow any search engine, like Google or Yahoo.
    > It means also, blocking i.e. the New York Times, because it has a
    > Google plugin.

    So, what's your point?

    Just how many Accounts need to access Yahoo or Google?

    Just how many machine operators need it?

    Just how many receptionists need it?

    Just how many anyone really needs to be Surfing during business hours?

    What part are you missing about Businesses are there for you to WORK,
    not to search/play/browse the web in your spare/free/working time.

    Also, you could easily allow Yahoo and Google and have no thread of
    someone using a tunnel through to those sites to get to their home
    computers. Just because you allow Yahoo and Google doesn't mean you have
    to allow them access to all the sites in the resulting search or to the
    links that are not contained within the sites.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  36. Archived from groups: comp.security.firewalls (More info?)

    In message <MPG.1d7632392a0e3044989cf6@news-server.columbus.rr.com>
    Leythos <void@nowhere.lan> wrote:

    >In article <430c66b7@news.uni-ulm.de>, bumens@dingens.org says...
    >> Leythos <void@nowhere.lan> wrote:
    >> > When you combine it with a proper amount of public outbound access it
    >> > means it's very secure.
    >>
    >> BTW: this means, not to allow any search engine, like Google or Yahoo.
    >> It means also, blocking i.e. the New York Times, because it has a
    >> Google plugin.
    >
    >So, what's your point?
    >
    >Just how many Accounts need to access Yahoo or Google?
    >
    >Just how many machine operators need it?
    >
    >Just how many receptionists need it?

    Any ones that have ever had a CEO scribble an address and say "Rush
    courier this within the next 3 hours or it will cost the company 5
    million dollars" and walk into a shareholders meeting for the next 4
    hours.

    The courier shows up, can't read the address, and the receptionist now
    needs to verify the address, otherwise the courier won't accept the
    package.

    Is that a 0, a 6 or an 8? Check on Google, find the company, it's an
    "8" -- Or find a phone number and call their office.

    <snip>

    --
    Warning Dates in Calendar are closer than they appear.
  37. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.lan> wrote:
    > Nope, I think you assumed that the internet, from work, should not be
    > restricted to anyone?

    Yes, for the companies I'm managing, I think so. Of course, I don't
    want anybody else to decide equal. Everybody has to do what she/he
    finds best.

    > I can't find
    > many business reason to allow much more than HTTP/HTTPS to approved
    > sites

    Poor people, who only can use caponized network access. Poor businesses,
    who soon will fall back behind the competition, because they have
    no media literacy, and the stuff cannot see, what's going on in the
    world.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  38. Archived from groups: comp.security.firewalls (More info?)

    CyberDroog <CyberDroog@clockworkorange.com> wrote:
    > However, you
    > have to ask yourself what ports could a hacker find open?

    Spoofed DNS datagrams are an interesting thing, for example.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  39. Archived from groups: comp.security.firewalls (More info?)

    Shawn K. Quinn <skquinn@speakeasy.net> wrote:
    > > If it does NAT/masquerading, a DoS attack is very easy from inside. Just
    > > exploit the maximum size of the NAT table by flooding with packages opening
    > > a huge number of connections.
    > There are ways around this. The pf packet filter (part of OpenBSD)
    > allows you to adaptively tune timeouts as capacity nears the maximum.

    With a proper timing in flooding, it should be possible to make
    new connections impossible anyway.

    And: how many NAT implementations beside OpenBSD have that feature?

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  40. Archived from groups: comp.security.firewalls (More info?)

    On 24 Aug 2005 13:19:16 +0200, Volker Birk <bumens@dingens.org> wrote:

    >You're right: when your cutting the network cable with a knife, then
    >tunneling through this cable does not work any more ;-)

    Ah, now that is fun stuff. I've done that on more than one occasion. One
    time a user had wiped out his system, installed a beta version of Windows
    2k3 Server, and set up DHCP (in conflict with the LAN servers, of course.)
    Why? Because he was a "power user" and likes to learn about this stuff.

    I yanked as much slack as I could in the cat5 cable leading to the wall
    socket and cut the line. I left the socket half hanging off the wall with
    a note saying he was on the list for repairs. Amazingly, he was actually
    fired.

    Some IT managers don't care for those kinds of tactics. But sometimes one
    has to relieve the stress.

    --
    As I grow older, I pay less attention to what men say. I just watch what
    they do.

    - Andrew Carnegie
  41. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 24 Aug 2005 11:56:20 GMT, Leythos <void@nowhere.lan> wrote:

    >Any quality firewall solution would not permit unrestricted outbound
    >access from workstations - and there would be an Internal DNS and SMTP
    >server, so you don't need to allow those out from workstations, you
    >don't need to allow HTTP outbound in most cases, and you can limit them
    >to the approved HTTP sites for company related business, email goes
    >through the company email server, so there is no outbound SMTP from
    >workstations to the public..... Come to think about it, I can't find
    >many business reason to allow much more than HTTP/HTTPS to approved
    >sites - even FTP would be limited to approved sites.

    You're completely right, of course. I still can't fathom why so many
    companies don't care for any such restrictions. Yet the management will be
    the first to complain when they find countless copies of an 80 MB video of
    penguins slipping on the ice bouncing around the email server. But then,
    they almost never want to fire the blue-haired old bat who brought the
    thing in and decided to share it with everyone.

    Go figure.

    --
    "Don't you see that the whole aim of Newspeak is to narrow the range of
    thought? In the end we shall make thoughtcrime literally impossible,
    because there will be no words in which to express it."

    - George Orwell as Syme in "1984"
  42. Archived from groups: comp.security.firewalls (More info?)

    > Despite your bogus claims, before I retired I worked for a
    > company that believed exactly the opposite of what you say.

    That's all I needed to know and I'll bet I am right on the money about you
    up there in Alaska. You don't have anything else to do. :)

    Duane :)
  43. Archived from groups: comp.security.firewalls (More info?)

    On 24 Aug 2005 14:42:48 +0200, Volker Birk <bumens@dingens.org> wrote:

    >Leythos <void@nowhere.lan> wrote:
    >
    >> I can't find
    >> many business reason to allow much more than HTTP/HTTPS to approved
    >> sites
    >
    >Poor people, who only can use caponized network access. Poor businesses,
    >who soon will fall back behind the competition, because they have
    >no media literacy, and the stuff cannot see, what's going on in the
    >world.

    As opposed to all of those successful and productive businesses who allow
    all of their employees to sit around reading The New York Times online all
    day. Or keep tabs on their ebay bids or sales. Or do all of their
    Christmas shopping.

    --
    OVERWORK, n. A dangerous disorder affecting high public functionaries who
    want to go fishing.

    - Ambrose Bierce
  44. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.lan> wrote:
    >In article <878xyrb7yp.fld@barrow.com>, floyd@apaflo.com says...
    >> Leythos <void@nowhere.lan> wrote:
    >> >In reality there are very few businesses that need to provide ANY
    >> >internet access to employees while at work. Even ones that need internet
    >> >access only need limited access in almost every case.
    >>
    >> You've stated that several times in various articles. It is a
    >> bogus claim which assumes that every business is the same as
    >> yours apparently is. But other businesses have honest,
    >> intelligent and dilligent workers who need to get work done in
    >> the most efficient and effective way possible, which often means
    >> unrestricted access to the Internet.
    >
    >I don't believe that for one instant - I've done support for more than a
    >hundred corporations in the last 5 years, many government groups, and
    >I've never seen one company (or learned about one) that required all of
    >it's employees to have complete, open, unrestricted, internet access.

    Nobody said "required", though that is the practical effect. Regardless,
    I just mentioned one such company. I'm not sure if *all* employees
    need Internet access, but I certainly was not aware of any that didn't.

    >Sure, there are groups in companies that are give it, but the majority
    >of employees in most companies don't need it to do their jobs.
    >
    >Prove me wrong, list 5 companies we can check to see that everyone in
    >them needs full, unrestricted, open, access to the Internet - 5
    >companies with more than 50 employees.
    >
    >I await your list.

    I don't need to list 5. Just one. And as I noted, that company
    is large enough to have a senior management position for Network
    Security, filled at the time by a person who literally wrote the
    book.

    Are you claiming that their head of Network Security was not as
    competent as you? The idea is hilarious!

    --
    Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
    Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
  45. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 24 Aug 2005 08:44:30 -0800, floyd@apaflo.com (Floyd L. Davidson)
    wrote:

    >Leythos <void@nowhere.lan> wrote:
    >>Nope, I think you assumed that the internet, from work, should not be
    >>restricted to anyone?
    >>
    >Despite your bogus claims, before I retired I worked for a
    >company that believed exactly the opposite of what you say. I
    >had absolute total access to the Internet, as did virtually
    >*all* employees. That didn't mean I wasted company time doing
    >personal business on the Internet. I also had unlimited access
    >to a telephone with unlimited toll access too. And I had
    >unlimited access to company mail (USPS) and to a company
    >vehicle. Typically most emplyees did, and there were very few
    >abuses.

    Your supposed experience is quite different from the norm according to
    studies. For instance, and keep in mind that this is on top of the time
    people normally waste chatting with co-workers:

    http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2005/07/11/wastingtime.TMP

    They pegged the average of wasted time at 2.09 hours per day per employee,
    (not counting lunch) frittering away the time on the net.

    Or:
    http://www.cyberguard.com/products/firewall/SG_Family/URL_Filter.html?lang=de_EN

    30 to 40% of Internet surfing during work hours is not business related.

    As much as 70% of a company's bandwidth is being consumed by non-productive
    pursuits.

    68% of all Internet pornography traffic occurs during the 9-to-5 workday.


    --
    There are indeed a great many more things in life than money; and it is
    money that gives us access to most of them.

    - Terry Eagleton
  46. Archived from groups: comp.security.firewalls (More info?)

    In article <430c6b48@news.uni-ulm.de>, bumens@dingens.org says...
    > > I can't find
    > > many business reason to allow much more than HTTP/HTTPS to approved
    > > sites
    >
    > Poor people, who only can use caponized network access. Poor businesses,
    > who soon will fall back behind the competition, because they have
    > no media literacy, and the stuff cannot see, what's going on in the
    > world.

    Funny, I don't see any reason for the majority of people to have
    Internet access at work, in fact, about the only people that need Web
    access is the managers, department heads, and higher levels in order to
    maintain a feel of the economy. I'm not talking about blocking the
    world, just only allowing approved site.

    There would be no reason to allow moveon.org from any business unless it
    was political. Same for many other sites - so, you can see that most web
    access is not needed for most employees at most companies.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  47. Archived from groups: comp.security.firewalls (More info?)

    In article <430c6e14@news.uni-ulm.de>, bumens@dingens.org says...
    > With Google cache i.e., you cannot deny that people are seeing what
    > you don't want them to see. This is one way.
    >
    > For example, http://validator.w3.org/ i.e. works two way. It should be
    > easy to build an IP tunnel with it ;-)
    >
    > I hope for your users, that they will find many creative ways to tunnel
    > through your "firewalls".
    >
    > Hm... did you think about mail tunneling also? Or is it allowed to
    > send E-Mail to fixed addresses only? :-P And: are you sure, that there
    > nobody will have a tunnel gateway to the free network?

    Email is from an internal server only - why would you want to allow
    employees to access any external email service? Since they have to send
    through the company server, since the company server is the only
    outbound SMTP, there isn't much they are going to do to tunnel.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  48. Archived from groups: comp.security.firewalls (More info?)

    In article <vurog1le0qdfaiadr3t5p3f46aroeraa2m@news.easynews.com>,
    CyberDroog@ClockworkOrange.com says...
    > On Tue, 23 Aug 2005 21:48:36 GMT, Leythos <void@nowhere.lan> wrote:
    >
    > >All it takes is the host (inside the network) to contact the hacker site
    > >for instructions, and you are done.
    > >
    > >So, what we mean is that your machine is compromised with something that
    > >phones-home for instructions - your NAT router, which allows ALL
    > >outbound does not stop the virus/worm since it's already inside your
    > >network - it calls home to get more things/instructions and starts
    > >spreading out over ports 135~139 & 445 since your NAT router doesn't
    > >block those outbound either (by default).
    >
    > Any properly setup NAT router should be blocking those ports. Mine does,
    > and a lot of other unnecessary ports as well.

    But NAT routers don't block those OUTBOUND by default, sure they block
    it inbound, but they don't do anything about it outbound.
    --

    spam999free@rrohio.com
    remove 999 in order to email me
  49. Archived from groups: comp.security.firewalls (More info?)

    In article <p7sog1l3367jbsgaf78etrm0905jaji71i@news.easynews.com>,
    CyberDroog@ClockworkOrange.com says...
    > But a simple NAT router *is* such a firewall. It's
    > just of very low quality and the vendor leaves it to you to not hand
    > someone else the keys.

    Sorry, but NAT is not just a low quality firewall - you seem to think
    that devices can be sort-of, maybe, almost, firewalls - well, they
    can't, they are either a firewall or not. All the fancy features that
    firewalls use to differentiate them from each other don't mean anything
    if the device is not a firewall.

    NAT boxes, unless they meet certain requirements, are not firewalls.
    This does not mean that firewalls can't also offer NAT, but NAT alone
    does not make the device a firewall.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
Ask a new question

Read More

Firewalls Routers Security Networking