Router

When doing a fresh install, I have to be behind a firewall. I've seen a new W2K machine infected via a viral probe minutes after it first connected to the net, before the patches could be applied.

I've hooked up IP logging for attempts for incoming connections and they pop up on a regular basis.

In my laptop, I have a PFW, A/V software, the hosts file from mvps.org and I install patches as soon as they come out. And I pray.

You do? I simply need to pull the network plug. Before getting updates it's sufficient to not provide any services on the external interface. You can do that either by yourself if you're knowledgable enough, or you can use the script from [1] or the program from [2].

I agree that it's probably more convenient to use a packet filtering router instead, though.

That won't happen if the box doesn't have exploitable services available on the external interface.

It's much easier and safer to be behind a NAT box.

Thanks Todd.

I decided to go with a Netgear RP614.

Thank you and everyone else who responded with help.

Yup.

Easier? Yes. And if you re-read my post you'll probably notice that I already wrote that.

Safer? Not really. Depending on the implementation of the router's firmware it may not even be equally safe.

cu

Since a NAT router doesn't provide any security by itself, I fail to see how it could be part of a security concept. After all, NAT is supposed to provide, not to limit connectivity (and the RFC explicitly states so).

Need?

Which is about the most stupid suggestion of the month.

Well, yeah, to show how incompetent it is. But where's the relation to security? It's not like the output of such software would have any relevance whatsoever.

Huh? Why?

So what? After less than a second of running a configuration script you have exactly zero open ports.

Even further, what about the packet filter facilities in Win2k? You have IPFilter, RRAS firewall and IPsec.

So you're spamming yourself with useless log data?

Well, you should. Any of these are so well-suited to hose your system.

And yet, every day, we see how the ignorant are protected from themselves and their exploitable OS by just such simple devices as NAT Routers.

Sure, the sun could explode on Wednesday, but, as long as they have a NAT Router in front of their connection there is a very good chance that their boxes won't be reached by unsolicited traffic.

. . Admittedly, I'm not an expert by any means, but you have a history of saying that software packet filters are easily circumvented, and is the reason that all the software firewalls are useless?

The above are all host-based packet filters implemented purely in software without any hardware acceleration. They are placed within the NDIS stack, so they apply before the packets gets addressed to the applications which requested ports/sockets. The work absolutely well for the mentioned scenario.

What they can't address reliably, and therefore don't even try to, is filtering outbound traffic, especially not by application.

Maybe you also twisted it a bit because many other packet filter implementations from other vendros, commonly known as the "personal firewall" crap, are horrible error-prone implementations that can be easily circumvented, abused and exploited, both on the network and application level.

A NAT box set to factory defaults is perfect block for attempted incoming connections.

For arbitrary stupid definitions of "perfect".

Most of the zombies on the market today were installed by a user.

Classic Trojan horse, no OS on the market is more or less secure against a user with administrator/root rights and the will to use 'em.

Windows 2000, sure. In practice, with WinXP SP2 (and newer) that simply hasn't been the case.

My condolences.

Wrong. There's a patchable vulnerability in the TCP/IP stack, which, depending on the router's implementation, might be exploitable from the outside. However, the risk is very low, since it would require the attacker to sit within your ISP's network infrastructure to bypass their ingress filtering.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Either you didn't read, or you didn't understand what I wrote. Try again.

You may also want to explain how that were safer than a box which simply doesn't accept incoming connection attempts.

cu

Am Tue, 15 Jan 2008 12:23:25 +0100 schrieb Sebastian G.:

you probably mean that?

You may want to explain how you get a box, used by the ignorant masses, the uneducated idiots, the 90% of the people that use a Windows PC, to not accept inbound connections.....

Face it, a NAT router is going to be a better security implementation than what the masses have the ability to do on their own.