Firewall Stealth Mode?

Nope, in fact, I had to disable part of the firewall rules just to be able to download it as the code would not pass through the firewall to the local machines. Then, after running it, it didn't do what he said, seems it only works on unsecured machines in their default settings.

I posted a small list of some tested models. The last entry, LevelOne FBR-1418TX being vulnerable on some ports and sometimes even crashing, was provided by me.

OK, just lying around here: A Digitus RN-16002 with most recent firmware. It's vulnerable to the DNS triggering as described earlier.

Usually I test models for certain criteria and if just one doesn't match I delete it from the list, not noting which criteria it was or which other criteria were violated.

I also don't write down which models my customers are using. I usually just notice that they're shit.

You really don't want to get the point, do you? And obviously your network seems to be locked down to unusability. You don't even trust your very own download requests?

Hm... did you ever read the code and understand what it does? You might understand that with Active Desktop disabled for sure it won't work. :-)

But you might use the Help Center instead, or an IFilter triggered WinHTTP download, or many other curious thing (hey Volker, here're some nice ideads). Just write your own code. There are so many scripting methods provided just by COM+ that you won't be able just to adress a little part of them. And I guess you should know how to find out how your system behaves with COM+ interaction disabled. Not fine.

How about the ones that most home users are likely to have, Linksys, D- Link, Netgear. Since I don't expect many people own anything by Digitus or LevelOne, I would suspect that the base is very small then.

One important thing - since the functions of the NAT router are based on the firmware, and since many vendors fix flaws, it's important to document the part number and firmware version - without it, the test don't mean much. I'm sure that there were holes in the first Linksys BEFSR41 unit, but that was 4 years of firmware updates ago, which hardly means that all BEFSR41 units are bad or that all Linksys units are bad...

Without the data containing vendor, part, firmware, tested flaw, result, there is nothing more than blathering about it. Surely you've done enough testing to know that you need the above to prove the point. Even ICSA Labs provides that level of detail and more if needed.

You don't understand security much if you think that anyone should be able to download anything at anytime on any network.

Sure, I have rules that allow "Me" to bypass filtering at the gateway, but I don't normally use it as there is little reason for me to allow download of many types of files. I also don't allow users on my network free access to the internt - after all, we are in a security group, talking about security ideas/ideals, and only a fool would allow complete, unrestricted, open, access to the internet for everyone on a network.

Yep, downloaded it and looked at it, understood the trick, and it still didn't work.

And so we're back to where his POC didn't work, didn't even make it to the labs test stations using standard firewall rules, etc.... So, it seems that the little trick is just one needed to spread FUD.

In reality, where I work every day, you can't honestly tell me that many people using NAT or PFW apps actually don't have compromised machines, that they just think they don't have compromised machines. Heck, even a neighbor running ZAP with Dial-Up for over a year was able to surf the net without any restrictions except those imposed by his browser and ZAP, and his machine was uncompromised - so, tell me again how those PFW never work and leave everyone completely unprotected.... Now, take a Windows 2000 or XP computer in it's default config, connect it the same way, use it for a month and tell me you didn't get compromised.

Usually, when your staff is allowed to surf the web, you can't stop them from doing so.

The point is, what can they do after the download. Running the executable? For sure not! :-)

So an Executeable tagged als text/plain is no danger?

But any serious width of allowance is a problem. And a too narrow configuration is usually just counterproductive.

If you don't even read what I wrote, why are you answering?

The point is that, as soon as the code is run inside the network, you have lost. Not letting it get there is one trial, pretty useless, not letting it run usually the better concept.

You didn't try to debug the POC or modify it to a different situation that is an issue in your concept. I can easily assert that a lot of such issues exists, as I already wrote.

So far I helped hundreds of people remotely by evalutating Hijackthis Logs, seen even more being evaluated and helped building up automated evulation like seen at >

.I can clearly tell the difference between a believed-uncompromised and really uncompromissed machine.

And there you can see interesting stuff: The system running 100 different instances of malware and both Norton Antivirus and Sygate PFW running fine and telling that everything is OK. :-)

Installing a PFW is no default configuration either, so your comparison is, yet again, bullshit.

The very same crap, all the way.

For sure not, these are the really cheap and often-sold ones.

You're assuming that the vendors do learn. Hardly, if any bit at all. In fact, most NAT router "heuristics" (which effectively break your assumption of blocking all inbound connections) are fully intended to make NAT as painless as possible for the uncertain customers.

And for 1:1 NAT, a simple always-forwarding is even technically absolutely correct.

With such a base of shit, it's a way better approach to record those which are not flawed. So far the list for low- and medium-cost routers remains empty.

And in a properly secured network they would not be able too.

The could code it by hand too, they could cut/paste it into notepad too, but they would have to take a direct action for it to get into the network, and it would not get in by normal means - and the two I tested didn't work on machines configured as we have them.... So, unless I misconfigure the machines in the network, his POC is just FUD.

Counterproductive? What!? Employees don't need internet access to be productive in most cases, and when they do, in most cases they only need a very limited amount of access to specific site - yes, I know that there are exceptions, but the majority, at least 95% of all the companies I've seen, don't need to give users access to anything other than partner websites.

Again, the code didn't work at any of the workstations once we let it in.

Why would I want to modify something he was claiming would prove that firewalls are useless and that Windows firewall is just as secure as ZAP or others....

Yep, I can agree with this, see it all the time, it's what I do for clients when we get new ones - we clean their networks and they don't have problems again, as long as they follow the rules.

I guess we're just going to have to disagree, as I've seen many instances were a properly maintained PFW as protected users from compromise.

Utter crap, if you're going to claim that NAT appliance all suffer from exploits then you need to be able to back it up or your claims don't mean crap. If you've tested then you know the vendor, model, part number, firmware revision, test method, result.... If not, then you didn't properly test and just want to spread FUD.

Please could you quantify your definition of 'low- and medium-cost' ?

Thanks.

Can they surf the web, at least some seemingly safe websites? Then they're able to download stuff, whether you like it or not.

Doesn't matter, they can't run the code. At least when it's a binary, for scripting security you must check the associated interpreters.

At least this is what you wish.

Did you EVER try to find out what part of the configuration was accountable for the POC not running?

Did you EVER try to modify to POC to match your configuration? For example to use certain NetDDE services instead of an ActiveDesktop drawing?

Then you didn't understand the issue. And why it's not FUD, but a serious understanding of how things really work.

Go to your local IBM company building and tell the sysadmin about your opinion. Be prepared to earn laugh and slender.

The reason why it doesn't work obviously isn't related to Windows Firewall and ZAP, but to your, maybe well, machine configuration. So your argument is totally wrong.

And maybe your configuration is fine for you, but usually doesn't apply to Joe Average. Volker just chose one typical flaw for an elegant demonstration, and it's quite easy to choose a less elegant, but almost impossible to workaround flaw. The point is that the exploiters always win.

MUAHAHA. Honestly, which one does? And what does it tell about stupidity and useless redundancy in your concept?

So far I'm telling people to get a serious network configuration (linking to proper scripts), using restricted rights, dumping IE and OE, and paying attention to what they're doing. Maybe a virus scanner with the awareness of using it as a decision helper tool, so merely as intrusion detection system. Those who follow the rules are proven to have no problem.

You'd be adding a NAT router, a PFW and a unnecessarily restrictive configuration - spending money on adding frustation, software problems, DoS and privilege escalation to an otherwise working concept.

So you can provide any proof? So far I have seen a lot of counter-proof, f.e. ZoneAlarm letting pass SMB traffic even when the ruleset didn't allow it. Fine for Sasser and its commerades.

Anyway, the point is that while you're installing a PFW and feeding it with an at least partitially usable configuration, I have already been running my little script disabling all unwanted network services and binding to wanted ones to their approciate interface. And such a system, even when being fully unpatched, clearly can't and hasn't ever been compromised due to exploited network services. Whereas your concept falls if the user disables the PFW or it simply disables itself, crashes or doesn't work as expected (as in the example above).

< $150, not self-build

The common home user consumer stuff. Netgear, D-Link, Linksys, ...

There are so many flaws which are also fully intended by the vendors that I would call it the default assumption! Assumed defective until proven otherwise.

So up from now on I will record every test just to spam you with the fatal results.

After all I didn't even come up with exploits for a fully functional non-defective NAT implementation. What about TCP session hijacking? Or triggered session initiation from client-side (Java, Flash, FTP, ...)?

All interesting stuff ;-)

Wrong, I completely understand what the two samples I was looking at did and how they worked and why they didn't work. I was not the one presenting them as a valid test, I just said they didn't work on my computers. So, if it's a valid test, then why complain when it doesn't work on my systems.....

LOL, that's funny. In fact, I see more and more companies moving to restricting internet access if not blocking it for many employees.

But if you follow the microsoft instructions on how to setup a secure machine, the POC doesn't work, nothing special needed.

Exploiters only win when the target doesn't understand the threat. As an example, Windows NT 4 IIS services, having had hundreds of sites facing the public and never having had one compromised - it's not about the people attacking or how many times, it's about knowing what the threats are, how the get in, and securing the machine/network against them.

Nope, I was talking about the same thing, and you've missed it a couple times, I don't say that a NAT router or PFW will secure anyone, I've said that in order of preference I would do it this way: NAT Router, PFW solution, Windows Firewall.

Nope, I wouldn't add any local software to the machines at all, as long as I could get a NAT Router in place.

At least we do the same things - I don't allow unnecessary services, etc.. when I setup a solution, but there are times when a user needs some protection other than just disabling services, and a PFW "Can" help.

Yea, I bet you think that a usable computer, by a typical home user, running games, quickbooks, MS Office, could be fully secured while directly connected to the Internet without the PFW, Windows Firewall, or even NAT. You've got to be kidding if you believe that some form of protection isn't needed when a user actually uses the computer too.

Depends on your expectations. I expect a NAT Router to do NAT routing and nothing more. The usual security options like packet filtering are merely a Me Too! features addons, but not to be taken seriously.

So, you're saying that you're going to keep stating that NAT provides no protection, but you can't back it up with any facts - since you're not willing to document the vendor, part, firmware, test/result.

How can you expect anyone to believe your claims without proof - it's not for me, I already don't believe your claims prove anything, prove to the world (or anyone you want) that a vendor/part/fw/test/result is true. Until you can prove that something has failed you are just like VB, spreading FUD for the fun of it.

You were the one who was claiming that because this specific case doesn't work the entire concept behind it would be wrong.

So, who usually does?

This is about a threat you cannot combat. The fact that Windows features enormous ways of scriptable interaction so Application Control doesn't work.

Still the question: Why? What can a NAT Router or a PFW achieve what the Windows Firewall can't? Expect compromise?

Huh? What else can a PFW do except packet filtering? But please, only serious answers! Non-working trials don't count.

Yeah, works quite well. At least not worse than with a PFW, Windows Firewall, NAT or whatsoever, as they don't address any threat that cannot be easier addressed without them.

BTW, MS Office is always a stupid idea, whatever you do.

And you must be kidding is the ways of protection you're suggesting would help any bit.

I'm willing and I already offered some. I pointed you to a FTP NAT-helper test applet and told you various often-seen implementation flaws. I even named you various problems with NAT even if the implementation were clean, as you'd like them to be.

NAT protection is a totally flawed concept.