Since I know nothing about software firewalls I obviously hosed my PC when playing with the stupid thing. My Tiny Firewall 2.0.13. I am on a fixed(very fixed) income and would like some advice on a cheap hardware solution. Yeah right. Probably asking for too much ,huh?Thanks
Here we go... this is not a NAT attack... they are not attacking the NAT capability. This is a basic man-on-the-inside style attack and has NOTHING to do with NAT protection. If you had no NAT and just a stateful firewall, this attack would be the same. There are **many** attacks that START with a hostile piece of code on your PC already (often brought to the PC by the user). This is not an attack initiated from outside.
Attack Requirements ==================== This is a passive attack. The ATTACKER MUST LURE THE VICTIM TO A CAREFULLY CRAFTED WEB PAGE. The victim's web browser MUST download and EXECUTE the embedded Java applet. The victim's computer MUST OFFER SOME VULNERABLE NETWORKING SERVICE, and a stateful firewall must prevent access to this service from the Internet.
This in not an inbound attack at all. The attacker is brought onto the PC ***BY THE USER'S ACTIONS*** and from the inside creates an opportunity to bring more in. This attack is about going to a hostile web site and your browser executing code that makes you vulnerable. If you didn't have java, if you didn't go to a suspect site, it wouldn't happen. Furthermore, so what?? You open a connection to port 445? Now what? Is your PC automatically compromised? No. "The victim's computer MUST OFFER SOME VULNERABLE NETWORKING SERVICE"
From that sites description this boils down to a Java flaw of security design. Java standard considers the default-allowed FTP to be harmless--which isn't necessarily true.
Yet another hysterical post about how scared everyone needs to be of the world rather than learn what is a realistic danger and what is not.
But it's a nice side-effect. Really, Volker, aren't you the same guy that's constantly harping that all you really need to do is a) turn on the Windows firewall and b) turn off all services? NAT (or more properly PAT--port address translation) essentially does the same thing. At any given time the only open paths through the router will be a couple of high-numbered ports that don't connect to any services. At worst, someone could monitor your traffic and send garbage to your browser or whatever. They could never send anything to really dangerous ports because they won't be open through the router.
Real world: Nobody gives a rat's ass what I have on my computer. Not enough to spend any time trying to hack me. Even identity theft is normally a bulk job by hacking websites that store personal info. The value of home computers to hackers is in creating botnets to set up DDOS attacks and such. This is accomplished when you unwittingly install crap on your own machine by opening email attachments promising naked pictures of Britney Spears.
Old ladies in your neighborhood are not intended as a security feature, yet they are one of the most valuable security features of a neighborhood. They are a vital component to the concept of "eyes on the street".
NAT provides a more secure environment, period. Whether you personally interviewed every person ever involved in the creation of NAT technologies to determine that not a single one of them considered NAT as advantageous for security is unimportant.
Yes I do. I've spoken with every one. I even know their mothers. (The school teachers have arrived. Any infinitive concept will punished. The following words must be stricken from the English language except when speaking about imaginary concepts such as infinity and God.)
I've monitored production firewalls for class B and class C networks and the unsolicited traffic being refused would be refused by any many-to-1 NAT which mimicks the default rule of a firewall.
That's fine. Now explain to grandma how to configure and answer all those questions ICE and Zone Alarm keep asking.
The biggest problem with security is simplicity undermines security. And complexity causes users to ignore, shutoff, or violate security.
That's why a NAT provides one of the cleanest and clearest benefits without requiring the user to learn about firewalls, TCP/IP, etc.
That's uniportant. If those ports are bound to a service they won't be opened as an outgoing port on that PC.
My browser uses outgoing port 1045 to connect to yahoo:80. Someone would have to target that 1045 port while i'm using it. They wouldn't know what application is in use or protocol unless they worked for my ISP and could gain access to the wire. They would have to slip into the open stream and execute some man-in-the middle attack which exploited somethign about the protocol or application talking. If the NAT is decently implemented the attacker would have to be spoofing the IP address of yahoo:80, which means, again, physically positioning into the stream is likely needed to receive responses.
Even when I finish, they would still need to perform the same kind of exploit against my time_wait'd connection. Again, they owuld have to target me all day long on a port and hope they get lucky, very very lucky.
It is a silly scenario. Mostly when I read about man in the middle attacks, they are an attack on a secondary host, after a host has already been compromised giving the hacker a beachhead, physically located within an infrastructure. This gives them the opportunity to masquerade as other servers, spoofing etc, which can be a critical component to steal an existing communication stream.
uhmmm... downloading a virus and lettign it format your hard drive is an attack which NAT and firewalls would not stop. You can't stop a user from downloading something bad for them if they want to.
What's your point?
All the viruses and trojans that hunt the internet for exploits and victims would be stopped. Anyone attempting to access you PCs would be stopped. Anyone doing a DoS would kill the router, not your PCs.
What would count as an unreliable implementation? Holding the return port open too long? Even if it did, your computer wouldn't be listening anymore after the FIN. And that's on a high random port out of range of any listening services. The only thing a dead-stock XP machine is going to be listening on is the Windows networking; what is it? 136-139 and
445? PAT/NAT always sets the return port above 1023.
And a full-forwarding 1:1 NAT may not be a defect, but you would have to deliberately configure a consumer device for that and it would take more than just checking the wrong box in the web GUI. It won't come out of the box that way; it would be a deliberate act of stupidity. It's hard to think of a good reason to do that.
You *might* have some vulnerability on those ports, depending on what you have running. But even here we're talking about a dozen or so ports out of 64000. The odds are about 5000:1 against you accidentally having one of those open for a short time.
And the potential targets are people with brand, shiny, new Dells plugged directly into a DSL modem. Or even worse, some poor schmuck running Win98. And IE and OE. Generally, the clueless herd.
The best thing most folks do to increase their security is buy a second machine and be forced to get a Linksys or D-Link to share the connection.
I keep mine patched. But about all I ever use IE for.
Unfortunately not. I'd like to see NAT routers, which do filtering by default, too.
Unfortunately, for examle for FTP NAT traversal ("stateful FTP NAT") most of the NAT implementations are not very secure. And, additionally, most of them can easily tricked by spoofing an "internal" IP address as sender's address in packets coming from outside. Most of them are routing this packets to the inside.
So a filter is a good idea to have additionally, and unfortunately NAT itself usually does not offer the same protection not offering services or at least filtering servers does (like i.e. with the Windows-Firewall or another host based packet filter).
Yes, usually you're right. But this is not the threat I'm talking about: I'm talking about your box becoming a zombie for spammers or bot in a botnet.
Of course, automatic attacks for Internet banking I'm waiting for. I cannot understand, why so less attacks are here until now. Perhaps, also the attackers are not very competent ;-) Years ago I explained a scenario how to abuse Internet banking for making billions of damage and getting millions of money out of it. And nothing happend until now. Fortunately.
No, i meant filtering packets which are coming from outside and seem to come from inside because of spoofing.
And common NAT routers can be made much more secure by just configuring the filtering options on them. Exclamation mark. ;-)
I never want to do that. This is the reason, why I'm advising against "Personal Firewalls". I'm talking about configuring the filtering funtions, most common NAT routers for the "SOHO" market section have.
I guess we should distinguish between the concept of NAT and particular implementations. Anything can be broken.
It looks to me like the simpler (read: cheaper) the NAT device the better.
I think you miss my point. The router is going to re-write the source port on the outgoing packets. In any case, the real issue here is the TCP/IP stack in the client device. The source port for any outgoing connections *should* be above 49152. It should never assign a source port corresponding to an unrelated (to the initiating app) service. So, for example, the TCP stack should never assign a source port of 445 for a web request.
The only unsolicited traffic that should be able to get through, even a cheap NAT, is to ports corresponding to existing translations.
If you stick it in a DMZ, sure. Look, you've rigged this conversation to your advantage. If you're going to stipulate a defective implementation then all bets are off.
I mean, I could claim that wearing a seat belt makes you safer. You could reply with, "What if the seat belt is damaged? What if it isn't designed properly?" So you keep moving the goalposts, redefining the argument.
Volker does the same damn thing. No matter what somebody says, you can always come up with some scenario or exploit that will get around it. Basically what you're doing is making the perfect the enemy of the good.
The only thing I'm claiming is that a NAT router is an improvement to your security. SPI is much better. Content filtering and analysis is better still. But better means more expensive. And more expensive means fewer people will be willing to invest in that level of security. I'm not going to spend $1000 to protect the $400 Dell box I use to surf the web; it's just not happening.
Sure, that's better. There's always something a bit better. All I'm claiming is that a cheap NAT router that you buy at Walmart to share an Internet connection is better than directly connecting a Windows box to the modem. That's all. Not perfect, just better.
And in the real world, with the real threats that home computer users face, that's all you really need. It's highly unlikely that anyone is going to invest the time and trouble to orchestrate a man-in-the-middle attack to hack my box. I don't have any real valuable assets to steal, I'm not a government agent, I'm not a high-level corporate executive, and with my credit rating you wouldn't even get much out of identity theft.
I didn't understand the whole sentence. I thought you meant you didn't use IE so you didn't bother to update it. My bad.