Sure did - but they don't do it by default. The default mode allows ALL traffic outbound, so, that means that a compromised machine can phone home on the normal file sharing ports and get anything it needs.
And you can have a firewall without NAT, but having a NAT does not mean you have a firewall.
I suppose you've never seen NAT setup as 1:1 mode? How about NAT that defaults to 1:1 all ports passed inbound?
Yea, after a weeks of monitoring to see what was going on, we let everyone know that we were now logging ALL traffic and could see everything anyone was doing - the reasonably honest people stopped abusing the company, the others waited until we hammered them, others could not stop and were fired.
Yep, sure is. We always state NO PERSONAL USE, and then define clearly what we consider personal Use (a non-inclusive list, but it covers about
15 things), and that all communications across company systems with any internal or external person, business, device, etc... belong to the company and can and will be inspected at any time. We also have a policy that all media of any type may be inspected at any type, including personal media.We've actually found people working for other companies during security audits for other companies (meaning that employee of company A was also working for company B on Company A network and time - without knowledge or permission from company A)... We had to search their home, which they agreed too, for documents and media that belonged to the company - all with their permission (to keep from filing a lawsuit against them).
CyberDroog wrote in news: snipped-for-privacy@news.easynews.com:
Well, you had better bet that the company put out documentation/standards about what an employee can and cannot do to address the usage of the Internet via a company machine using a browser or an email client on company time. The have big time regulatory, compliance, legal, security departments that do nothing but that.
And I'll tell you what about a multi, multi, multi, too many of those multi billons of dollars a company that operates around the world and pays out big dollar fines just to operate to produce product and just blows it off as a cost to operate and owns towns and banks and damn near owns the government.
It doesn't give a rat's ass about some employee trying to bring some law suite. The company is in court and paying fines just to operate on a daily basis and it's nothing to the company. The company is and its management is treacherous.
Duane :)
Type "linksys exploit" into Google. This is the first hit:
Correct. By default they do not allow remote access. That is why the bug was called an *exploit*... because even with remote access disabled, the box was allowing remote access.
Actually it *is* in the manual on all the boxes I've seen. The trouble is that quite often the manual isn't really needed. People run home from Walmart with their new toy. They plug it in, connect the cables, turn on their computer and before they can even think "I gotta look at the instructions now", the default settings have already given them internet access.
Well hell, why read the manual now?
CyberDroog wrote in news: snipped-for-privacy@news.easynews.com:
Even if they read the manual first, you expect someone *clueless* home user to know what to do off the bat? Hell, they can hardly turn on the computer and use it. You're asking for too much.
Duane :)
CD, Floyd is a lot like Floyd from Andy Griffith show - claims to know a lot because he's "educated", but has no experience in the real world.
But I think that we all know that in order for something to be secure, that it almost always has a password (or combination).... I know it's expecting a lot of people, but they should be at least trying to learn a little.
nice thread, worth a read. Thank you everyone
You're starting to become a PITA about it as far as I am concerned and it's much do to about nothing.
And let me ask you this, weren't you the one who posted some kind of nonsense awhile back about meeting some lady TV reporter as she busted out past the FW and you meet her in cyberspace? Your posting name certainly rings a bell on that you college boy and I have suspicions that it was you as your name looks familiar to me now. ;-) You have been around for a while.
Duane :)
Hey, I was over in the wireless NG responding to a poster today who happened to work for an ISP asking about how could a router be hacked and reconfigured so that the DNS being used pointed to somewhere in China that the customer was using. I replied about the router being left in the default out of the box state as a possibility.
If he had to ask about how it could been done, that doesn't leave too much hope. ;-)
Duane :)
And one other thing, you already indicated that you lurk around your apartment complex looking at wireless possibilities. So I wouldn't put anything past you. Please, please, please and please some more don't mess with my little setup as you're too *dangerous*.
Duane :)
Bugs you say, yes. Iam trying to understand whats a form of a bug would look like.... A Bug of a NAT router would mean some kind of special packets in tandem that the router wont be able to handle and then it will crush?!?
So its amtter of sending those bytes in router?
Ummm, how can a packeta send directly from the internet could have as source address an ip address of an internal lan host? I dont see how this is possible. The source address of the packet would be the one that the sending remote host would have! Can you please explain?
Well yes, but what if a router also doesnt exist at the specific ip address and in generally there is no host at all? Then we will have no reply back at all sicne there is nonone to respond as RFC suggests.
Iam glad you mentioned that so to be able to clear if the unsolicted inboud traffic nlocking ability of NAT router hs to do soemthing with NAT or not.
As me and Moe Trin agreed in another thread we simplistically acceptes that
NAT/IP Masquerading = Source NAT NAT/Port Forwarding = Destination NAT
So we see that NAT doea and stands for Network Address Translation which mean actually IP adress translation. I think its only this and nothing more. Changing the source ip address of an internbal host to routers external and then changinf the replys dest ip address from routers external to an inside host ip address.
For me thats NAT.
The ability of blocking ALL uninvited incoming traffic request is being implementing by an entity/characteristic of the router different than NAT. And i beleive that this is actually the job of a firewall.
Correct me if iam wrong but i think we need to seperate in a clear way these 2 consepts because there is a huge discussion concernign them about what helps in security and whats not.
Also i would like somene to tell me if SPI is a part of NAT or a differnet procedure/function
Thank you.
Can you tell me a bit more on this please?
Guys, bu tunneling you mean connecting behind proxy servers? Please explain to me clearly this tunneling concept!
But if a remote host will try to send a packet with a valid destination ip (for example my external routers one) but a source ip address of lets say 10.0.0.1 then the packet will be rejected from the first isp router it meets(if properly configures) because although the packet can be routed to reach its final destination, yet a reply wont be able to come back to the sender since he is using a private non-routable ip address!
Yes, but same as above, how you will send that packet to its destination?
You mean that just the previous hop(router) will notify that there is no network after him, so the intruder will still get back a response?
Its logical yes, buth i wonder doesn the companies know that this reason its too apparent to claim otherwise?
Stuart McGraw wrote: [NAT attack]
Most ISPs don't.
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.