When doing a fresh install, I have to be behind a firewall. I've seen a new W2K machine infected via a viral probe minutes after it first connected to the net, before the patches could be applied.
I've hooked up IP logging for attempts for incoming connections and they pop up on a regular basis.
In my laptop, I have a PFW, A/V software, the hosts file from mvps.org and I install patches as soon as they come out. And I pray.
You do? I simply need to pull the network plug. Before getting updates it's sufficient to not provide any services on the external interface. You can do that either by yourself if you're knowledgable enough, or you can use the script from [1] or the program from [2].
I agree that it's probably more convenient to use a packet filtering router instead, though.
That won't happen if the box doesn't have exploitable services available on the external interface.
Since a NAT router doesn't provide any security by itself, I fail to see how it could be part of a security concept. After all, NAT is supposed to provide, not to limit connectivity (and the RFC explicitly states so).
Need?
Which is about the most stupid suggestion of the month.
Well, yeah, to show how incompetent it is. But where's the relation to security? It's not like the output of such software would have any relevance whatsoever.
And yet, every day, we see how the ignorant are protected from themselves and their exploitable OS by just such simple devices as NAT Routers.
Sure, the sun could explode on Wednesday, but, as long as they have a NAT Router in front of their connection there is a very good chance that their boxes won't be reached by unsolicited traffic.
. . Admittedly, I'm not an expert by any means, but you have a history of saying that software packet filters are easily circumvented, and is the reason that all the software firewalls are useless?
The above are all host-based packet filters implemented purely in software without any hardware acceleration. They are placed within the NDIS stack, so they apply before the packets gets addressed to the applications which requested ports/sockets. The work absolutely well for the mentioned scenario.
What they can't address reliably, and therefore don't even try to, is filtering outbound traffic, especially not by application.
Maybe you also twisted it a bit because many other packet filter implementations from other vendros, commonly known as the "personal firewall" crap, are horrible error-prone implementations that can be easily circumvented, abused and exploited, both on the network and application level.
Wrong. There's a patchable vulnerability in the TCP/IP stack, which, depending on the router's implementation, might be exploitable from the outside. However, the risk is very low, since it would require the attacker to sit within your ISP's network infrastructure to bypass their ingress filtering.
You may want to explain how you get a box, used by the ignorant masses, the uneducated idiots, the 90% of the people that use a Windows PC, to not accept inbound connections.....
Face it, a NAT router is going to be a better security implementation than what the masses have the ability to do on their own.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.