No, it isn't. Like I said it's like trying to by-pass a locked door by simply going in and unlocking it from the other side. You can't do that if it's locked in the first place.
No, I have no way. That's the point. It *is* pretty good protection.
Any properly setup NAT router should be blocking those ports. Mine does, and a lot of other unnecessary ports as well.
But all in all, there is a big difference between picking a lock (which seems to be what the OP was talking about) and somehow convincing the home owner to slide the key under the door.
No technology can protect a stupid user.
I think you'll find that your definition of firewall comes no where near what many people here insist on.
Personally I think it's just word games. Real firewalls, that is barriers to prevent the spread of fire, have different levels of quality and capabilities. But the essential premise is the same for all. Imagine a mythical firewall for your bedroom door that actually only worked one way - preventing fire from coming into your bedroom. That would still be a firewall. The vendor would just assume that if you have a fire *in* you're bedroom, you'd grab an extinguisher and put the damn thing out, or just expect that you not start fires in your bedroom to begin with.
Silly example, I know. But a simple NAT router *is* such a firewall. It's just of very low quality and the vendor leaves it to you to not hand someone else the keys.
Many people add a software firewall to prevent unexpected outbound connections. Some users here consider the software firewall not to be a "real" firewall. But it is. In fact you can consider the NAT router plus the software in tandem to be your firewall.
Some people seem to forget that firewall(ing) can be a concept, and a process, not just a device or software.
You're right: when your cutting the network cable with a knife, then tunneling through this cable does not work any more ;-)
What was the reason to have Internet access? I think, you forgot that.
Yours, VB.
There have been many well-publicized bugs in various vendors NAT firmware that allowed the device to be crashed. Of course quite often that meant that there was no traffic at all, and therefore no risk of intrusion. It was just DOS.
Duane,
First, thanks for your response, it was interesting and helpful. But I think I would still like to find something more concrete, like actual exploit code, an analysis of such code, or an analysis (at the packet level) of an actual attack.
Nope, I am definitely not an expert -- I am just looking for some reliable info. For years I have heard people claim that NAT could be circumvented but I have yet to see any real proof of this (although I have not spent much time looking.)
If you ever come across the paper you read, I would love to get a pointer to it.
As for the Watchguard white paper, I my point was that it is a marketing paper, not an objective, factual, neutral, report on the differences between NAT routers and "real firewalls" [sic] and as such, may be a source for questions to look into, but not of answers.
Since you asked for some specific criticisms... They debunk the myth that a NAT router provides as strong security as a "real firewall". Maybe some people claim that. I wouldn't, and don't know anyone who would. What I have heard is the claim that NAT security is "good enough" in some environments so I think WG's "myth" is a strawman argument.
They mention pings and then say "NAT devices, however, respond, letting the hacker know he's found a live connection and an easy way in to the network." Exactly how does a ping response indicate an ***easy*** (my emphasis) way into the network?
They say "Clearly the cost to protect against the probability of attack is far less than the cost of clean up", based on an estimate that 40% of small businesses each year have intrusions and another estimate that the average cost per intrusion is $150K. But even if one takes the provided numbers at face value, the latter figure is (AFAICT) for ***all*** businesses (large and small). I would guess that intrusion incidents in large companies are much more expensive than in small companies, so the conclusion is not at all that "clear" to me.
They say: "Interestingly, hackers have developed attacks specifically for NAT devices, including:" and go on to say that one of these is trying the manufacture's default password on a network accessible admin port. This is "NAT-specific"? And although a design that permits use without forcing a password change from the default value is not very good, it is a trivial problem to deal with (change the damn password!) and hardly a reason not to buy a device, let alone a whole class of devices.
This is just a small sample of what I was talking about, it would take a day or more to go though the whole paper, and pick out all the incidences of slanted presentation.
Lest I be misunderstood, I am not saying that NAT is as secure as a good well configured firewall, that WG products are bad, that firewalls are useless, or even that particular white paper is exceptionally bad. All I am saying is that it is a typical marking whitepaper, designed to sell the company's products and does not present a fair picture of the security differences between NAT routers and firewalls.
Good idea. I live in a large apartment complex, and I can connect to several WAP's without leaving my desk. More if I go out on the balcony. I can walk through the halls with my notebook and find still more.
Linksys definitely *is* popular. And on many of these system, the default admin password has never been changed.
But hey, the owners are sleeping at night, right? So why should a massive bittorrent download matter to them?
I don't have a link handy. But the basic idea makes sense. However, you have to ask yourself what ports could a hacker find open? Your browser opens ports, your email and NNTP clients open ports, etc. Exactly of what benefit to the hacker is sending a packet to one of those ports?
There has to be a service running that is going to take some presumably insidious action in response. Then you are getting more into the possibility of a buggy service.
BTW: this means, not to allow any search engine, like Google or Yahoo. It means also, blocking i.e. the New York Times, because it has a Google plugin.
Yours, VB.
Yes, for the companies I'm managing, I think so. Of course, I don't want anybody else to decide equal. Everybody has to do what she/he finds best.
Poor people, who only can use caponized network access. Poor businesses, who soon will fall back behind the competition, because they have no media literacy, and the stuff cannot see, what's going on in the world.
Yours, VB.
Everybody in the companies, I'm leading.
What a shortsighted and dumb point of view. It's sad, to read this in Usenet.
With Google cache i.e., you cannot deny that people are seeing what you don't want them to see. This is one way.
For example,
I hope for your users, that they will find many creative ways to tunnel through your "firewalls".
Hm... did you think about mail tunneling also? Or is it allowed to send E-Mail to fixed addresses only? :-P And: are you sure, that there nobody will have a tunnel gateway to the free network?
Yours, VB.
Spoofed DNS datagrams are an interesting thing, for example.
Yours, VB.
With a proper timing in flooding, it should be possible to make new connections impossible anyway.
And: how many NAT implementations beside OpenBSD have that feature?
Yours, VB.
Ah, now that is fun stuff. I've done that on more than one occasion. One time a user had wiped out his system, installed a beta version of Windows
2k3 Server, and set up DHCP (in conflict with the LAN servers, of course.) Why? Because he was a "power user" and likes to learn about this stuff.I yanked as much slack as I could in the cat5 cable leading to the wall socket and cut the line. I left the socket half hanging off the wall with a note saying he was on the list for repairs. Amazingly, he was actually fired.
Some IT managers don't care for those kinds of tactics. But sometimes one has to relieve the stress.
You're completely right, of course. I still can't fathom why so many companies don't care for any such restrictions. Yet the management will be the first to complain when they find countless copies of an 80 MB video of penguins slipping on the ice bouncing around the email server. But then, they almost never want to fire the blue-haired old bat who brought the thing in and decided to share it with everyone.
Go figure.
That's all I needed to know and I'll bet I am right on the money about you up there in Alaska. You don't have anything else to do. :)
Duane :)
As opposed to all of those successful and productive businesses who allow all of their employees to sit around reading The New York Times online all day. Or keep tabs on their ebay bids or sales. Or do all of their Christmas shopping.
Nobody said "required", though that is the practical effect. Regardless, I just mentioned one such company. I'm not sure if *all* employees need Internet access, but I certainly was not aware of any that didn't.
I don't need to list 5. Just one. And as I noted, that company is large enough to have a senior management position for Network Security, filled at the time by a person who literally wrote the book.
Are you claiming that their head of Network Security was not as competent as you? The idea is hilarious!
Your supposed experience is quite different from the norm according to studies. For instance, and keep in mind that this is on top of the time people normally waste chatting with co-workers:
Or:
As much as 70% of a company's bandwidth is being consumed by non-productive pursuits.
68% of all Internet pornography traffic occurs during the 9-to-5 workday."Stuart McGraw" wrote in news: snipped-for-privacy@corp.supernews.com:
Well I can say this, I went to a site that did ping testing with the Linksys NAT router at the time and the machines behind the router responded to the ping test. I had to go to the BlackIce firewall.ini file on the machine and set an ICMP rule in the file to get the machines to not respond and pass the tests.
As opposed to using the WG I now use, and I can check on the rule *Do not respond to the Ping requests received on the External Network*.
I see the WG responding to the in the WatchGuard syslog by using Wallwatcher by passing the inbound request as indicated by a red "P" in the logs but no machine behind the router is responding with outbound when it happens. This happens in the syslog on a routine basis.
Not once did the Linksys NAT router in its syslog using Wallwatcher indicate any ping attempts. Nor did BI show in its logs that it was not responding, but BI did allow me to pass the above ping test and I'll assume that BI was doing its job at the time.
Whatever the cost is it cast and a hassle anyway one looks at it.
NAT routers do have remote admin capabilities and if it not protected properly and most don't apparently particularly in a small bossiness or home LAN situation, the network can be compromised.
I see those as facts. And you're going to have to come up with some kind of sold evidence to prove otherwise. And again, that was not the white paper or article I got from WG that I have mentioned and the paper was not trying to sell anything or slant presentation as you put it.
My WG uses NAT too because it must map external IP traffic to internal LAN IP(s) and is mapping technology. NAT by itself is a very limited means of protection from the Internet. I myself would use a NAT router e backed by a personal FW solution in the home. I would never use a NAT router that just had NAT to protect a business situation, which is what that Linksys router turned out to be once SPI was removed -- a simple NAT router device. None of the cheap D-link, Belkin, Netgear, Linksys or otherwise low-end models would I use to protect a business. But that's just me.
Duane :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.