Funny, I don't see any reason for the majority of people to have Internet access at work, in fact, about the only people that need Web access is the managers, department heads, and higher levels in order to maintain a feel of the economy. I'm not talking about blocking the world, just only allowing approved site.
There would be no reason to allow moveon.org from any business unless it was political. Same for many other sites - so, you can see that most web access is not needed for most employees at most companies.
Email is from an internal server only - why would you want to allow employees to access any external email service? Since they have to send through the company server, since the company server is the only outbound SMTP, there isn't much they are going to do to tunnel.
Sorry, but NAT is not just a low quality firewall - you seem to think that devices can be sort-of, maybe, almost, firewalls - well, they can't, they are either a firewall or not. All the fancy features that firewalls use to differentiate them from each other don't mean anything if the device is not a firewall.
NAT boxes, unless they meet certain requirements, are not firewalls. This does not mean that firewalls can't also offer NAT, but NAT alone does not make the device a firewall.
I don't believe that for one instant - I've done support for more than a hundred corporations in the last 5 years, many government groups, and I've never seen one company (or learned about one) that required all of it's employees to have complete, open, unrestricted, internet access.
Sure, there are groups in companies that are give it, but the majority of employees in most companies don't need it to do their jobs.
Prove me wrong, list 5 companies we can check to see that everyone in them needs full, unrestricted, open, access to the Internet - 5 companies with more than 50 employees.
And if the address lookup was needed, there are many listing services that you can "approve" that would easily provide the information without having to give FULL internet access to the receptionist.
Keep trying, you're still not showing any reason to allow full, unrestricted, open, access to everyone in a company.
I fired a chap after we checked the firewall logs and found he was keeping an open connection to his stock trading site (before we locked down what people could access) - his excuse was that he needed to trade in order to afford to pay his bills and that calling on his cell or the cost too much, and that he didn't have a computer at home, so he had to trade at work.
We documented more than 60 hours in one month were he was actively trading and not doing work - after the initial warning (at 9 hours) we fired him for continuing.
We also found workers viewing Porn sites before hours, during breaks, and staying after hours - funny how you display a list of workstation names and p*rn files in the http sessions, how that seems to put an end to it, for a few months... Firing was next for many.
And the list goes on - every company has these issues.
How about the LARGE Government agency where the Cleaning crew was connecting to peoples desktops that were left logged in over the night/weekend and downloading MP3? Locked them down to comply with HS rules and HIPAA....
There was an exploit on the web that targeted Linksys routers - when people connected via IE, it would login to the default IP of the router as the default account/password, then it would change the forwarding settings to allow inbound. Seach google for it.
And if you do have unrestricted Internet access and was using it a bit too much in the management's eye, you will hear about it. One guy was rolled on the carpet about that and another one was doing a little too much emailing on company time. They do watch what's going on.
Okay, go ahead and find me the correct spelling of a CEO's name for a randomly selected Fortune 500 company. Now try again using only one or two directory lookups.
Sure, it's probably possible without internet access, but it's a hell of a lot more efficient to use the internet connection.
Just try it yourself. Take a simple masquerading device, send from outside a spoofed packet, which seems to come from inside, and sniff inside, if the packet is routed. There is enough spoofing software in the wild, so you can hack this simple task with BSD sockets yourself, or you could use ready-made software to generate the packets.
Together with clever filtering, a NAT router can provide good security against such attacks.
It doesn't. This is only nonsense. People, who are blocking ICMP echo, don't understand the TCP/IP network protocol family. That's all.
Those people usually think that you could "stealth" your computer by doing this, making it "invisible" in the Internet.
This is monkey business. The reason is, that they did not understand TCP nor IP or ICMP, because:
If there is really no computer at a specific IP address, you're getting a packet back!
Why?
The router before the non-existing PC then is sending an ICMP packet, either which means "no computer here", or which means "the complete network is not here, so there cannot be a computer" (ICMP destination unreachable message with code 0 or 1, see RFC 792, STD 0005).
So getting no information back is a sure sign, that there _is_ a computer on the other side, and it's running braindead "security" software like Zonealarm ;-)
Of course not.
Firewall is a term, most people use other than it was intended.
"Personal Firewalls" like Zonelabs or Symantec are selling, are anything else, but not Firewalls.
Usually, they're host based port filertes, badly implemented compared to i.e. the Windows-Firewall (which is also not a firewall, but a simple host based packet filter, but which is OK in the way, that it works good), combinded with a lot of bells and whistles, to make users feel a false sense of security. The rest of the features of the "Personal Firewalls" have a placebo effect, one can say.
So it is with the "stealth" feature. And it's not the worst thing - some features of the "Personal Firewalls" are even worse, they're making the PC more insecure and not more secure, they should protect.
Those features are for example windows opened from system services or even the possibility to filter out your secrets like a PIN for your banking account from every network traffic.
The latter for example is so dangerous, that it is like publicizing your PIN to everybody, who has a webserver you're looking at pages from.
Why?
Send inside HTML all numbers between 0000 and 9999 (hey, these are only
10.000 numbers, no problem) to the Browser of the user as content i.e. inside invisible form fields. The one number, which is missing, when the user sends back the form, is the PIN. ;-)
People, who are selling _this_ to you as a security feature (like Symantec or Zonelabs and so on) have understood really _nothing_ about security.
They're just the same people, who're making your PC "invisble" in the Internet, because they're filtering ICMP echo ;-)
Secure network usage does not mean to cut the network cable with a knife, because people are doing bad things with the network.
Secure network usage does mean, that network usage is there an cannot or should not be cut for whatsoever, and people want to be secure against different attacks in spite of this fact.
Just dangling a rope for you, thats all. You'd never have been clear on what you thought of it if I'd mentioned that it is AT&T's telecom network operations.
The "guru" is Steve Bellovin. You've probably heard of him. He was in charge of AT&T's network security for a few years, and currently is teaching CS at Columbia University. It wasn't really "the" book that he wrote, it was several of them...
I don't think Bellovin has been certified by ICSA, but like a lot of other equipment that hasn't been, his reputation is widely known. ;-)
And just when did I say that I was "unaware of the business needs"? Within the division of AT&T that I worked for (AT&T Alascom, which AT&T acquired in 1995) it was simply impossible to file a weekly time sheet without access to the Internet. Is that "business need" enough for you? And that is merely the starting point on a list of requirements that most employees need Internet access for!
Unlike you, I have *not* made any such sweeping ridiculous claims.
My point was that when you say none do, you are blowing smoke.
Linksys routers, by default, do not allow access via the WAN (Internet) port to the web server. The only way his described technique would work is if a user purposely reconfigured to enable that access... *and* did not change the password. However, the Linksys configuration will not make that change if the default password is unchanged!
Sure, but none of that is evidence that the router provided an "easy" way for hackers to hack into your network which is what the WG white paper claimed. BTW, was the Linksys doing IPaddrIPaddr NAT, or IPaddr/PortIPaddr/Port mapping? If the latter case, since icmp packets don't use port numbers how does the router decide which machine to send the ping packet to?
[...snip...]
Slanted writing often does not contain overt errors of fact. Instead it misleads by making unrelated facts seem related, overstating some things and understating (or not mentioning others), etc, and generally leaving an impression with a non-critical reader that is not accurate. Of course, a lot of this is subjective. So if you say you found it a fair and balanced presentation of fact than, ok, that's what you think...
Nevertheless, I do not see how you can see the (paraphrased) statement that "if the firewall responds to pings, there is an easy path for hackers into the network" as a fact. I do not see how you can see conflating the two unrelated cost-of-intrusion statistics as not misleading. Or that the default password issue is (in most cases when the admin has more than half a brain) is a very minor issue that is exaggerated when presented at the same level as claims that remote intrusion is possible, and is not limited to NAT routers (a fact they leave out).
I have used NAT and packet filtering several times for small businesses, never just NAT. But I want to know exactly and factually what the real risks are, based on documented facts, particularly regarding their claim that there are tools available that exploit open NAT'd connections. Their white paper (which I acknowledge is not the one you originally referred to) contained nothing that helped with that, so I am still looking....
I googled a bit but couldn't seem to find this. But it sounds like it is not really a NAT specific exploit -- unchanged default passwords are not limited to NAT routers, yes?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.