A neighbor asked me to help him setup his new wireless router and laptops running. One thing that I have done on mine and some others, is to block the MS ports (137, 138, 139 + 445) from to/from the WAN. What valid reason would there be to have these "MS sharing" ports open across the WAN ? Also - if left open... as most probably are... what do folks do ??
So you have blocked ports and you don't know why? I can't see any reason for blocking ports, just buy a router with a built in firewall and run appropriate protection on each PC. Make sure the router is closed off to others and away you go.
None -- other than you most likely getting the machine hacked to death that those ports were port forwarded to a LAN IP/machine that was using MS networking on the LAN.
Those ports are closed by default on a NAT router to the WAN or public Internet, unless you open those ports manually by doing port forwarding on the router or you have placed the machine into the DMZ.
Most folks purchase a router and not plug their computah directly into the DSL or cable modem. The NAT translation and SPI firewall provide the necessary protection. You can run a fairly sloppy and insecure LAN behind a decent router/firewall. For these, all ports are blocked unless specifically enabled.
The problem with that assumption is that NAT and SPI alone provide *no* protection against ET-phone-home-type and LAN-to-LAN-type attacks, where a computer on the LAN has been compromised by virus, worm, browser exploit, etc. Thus it is a good idea to lock down outgoing router ports that aren't needed, and to run a good software firewall (filtering outbound as well as inbound) on every LAN client.
well - I used to run ISDN routers before we had broadband in our area. We would block the Netbios traffic because it would cause a dialup of the ISDN link. A firewall merely offers the "capability" to block ports. So, even if a router has a firewall, it may be passive, or it may be actively blocking all unused ports, or it may be SPI for managing the TCP/IP connections and port sequencing. As far as letting the Netbios traffic out on the WAN, I think it might be necessary if you are trying to potentially connect to a Microsoft based server application - like Exchange...
I think you need to find out something. What does an Internet/network FW do?
You're somewhere in the ball park that's the least that can be said.
This last statement above is questionable to say the least about it. That Exchange server would be behind a FW a closed/protect environment on the LAN and would not be exposed to the Internet/WAN. I would think it would be using SMTP and maybe port 25 and no one over the Internet would expose the Exchange server, any MS server or workstation to the WAN on any of the ports you talk about if they got any common sense. That's 137-139 TCP and 445 UDP trying to network with a MS machine on the WAN.
Well, not to get too involved with this as it has been done in the past in this NG, I think it's a very good definition of a network FW. A FW can do more than block ports as the OP seems to think.
And I don't think a personal FW is a FW either as it doesn't separate two networks.
I think the OP needs to learn the different aspects of FW solutions, so I'll give him this too.
I think the OP is somewhat lost here and in MS networking in general and should not to be opening those MS networking ports under any circumstances to the WAN/public Internet, unless the OP is looking to get *hacked*.
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
I think a "personal firewall" meets the definition given that it enforces a security policy between an external network and an internal network (of one computer). A firewall is in effect a security gateway.
I guess you're talking about that worthless Application Control in PFW(s) that can be beaten at the computer boot and logon process as the malware can get to the TCP/IP connection first before the O/S can even start the PFW to protect it, since no 3rd party PFW is an integrated part of the MS O/S internals such as TCP/IP the must wait for the 3rd PFW to start with the 3rd party FW being a dependency of the MS O/S internals such as the service (I can't think of its name) that makes the TCP/IP connection available. That includes any packet filtering capabilities and the so called worthless application control in 3rd party PFW(s). The only PFW solution that can get there is the XP FW that is set as a dependency and the MS O/S internals for TCP/IP must wait for the XP FW to start before the TCP/IP is made available.
As opposed to an external solution such as a standalone packet filter FW router or FW appliance that has had outbound rules set to block outbound traffic. It's hard to beat that solution as it not running on the computer and it's not running with the O/S.
Anything running with the O/S can be easily circumvented and defeated by malware on attacked by the malware just like the O/S can be attacked and circumvented by malware. If the O/S is not secured and most don't know how to do it, then how is anything running with the O/S going to be secure?
My favorite test for this is you install Gator on the machine, set any inbound or outbound filtering rules to stop Gator from connecting to its sites, set any application control rules to stop Gator from running with the 3rd party PFW you want. You install Active Ports (free) and put a short-cut for Active Ports in the Start-up folder with AP's refresh rate to to high so you can see connections being made. You can boot the machine and see who gets to that TCP/IP connection first -- Gator or the
3rd party FW solution. You may find that Gator has made its connection and has done its thing before the PFW can even get there.
No, and IMHO, a 3rd party host based PFW solution will never out class a packet filtering FW router or FW appliance that meets the specs for
*what does a network FW do*.
Of course, there are host based FW solutions that run on a gateway computer that meet the specs for a FW that can match a FW router or appliance but that too is based upon how secure the O/S has been configured to host it and the person's knowledge of the FW solution in its configuration.
This sentence is considerably too long to read properly - are you short of fullstops :-) - but I think the gist of it is incorrect anyway.
The way that well-written PFWs work is to install a very low-level hook into the TCP stack. The stack then can't start without the FW filter running. To install a lower level hook would be possible, but extremely easy to detect.
You /do/ realise that one can set absolutely any service as a dependency of or on any other? There's nothing magic about this.
HardER, anyway. The F/W is still running /an/ OS, and that still can have bugs, exploits and weaknesses.
I disagree with 'easily' but the general point is correct - any running s/w can be circumvented - INCLUDING that running in your FW appliance don't forget. Its still just s/w.
Absolutely right. I totally agree with this.
As for suggesting someone install Gator, thats just malicious... Mark McIntyre
----- Original Message ----- From: "Mark McIntyre" Newsgroups: alt.internet.wireless Sent: Friday, March 03, 2006 1:59 AM Subject: Re: blocking MS ports from WAN access
That's incorrect in my opinion and there is no way that is happening. It may have a hook into the TCP stack but if the 3rd FW solution is not started prior to any other service in the start sequence of the services, then it means nothing.
I have written Windows Service applications and I know that this is not happening, which a PFW solution is running as a service on any NT based O/S. If that 3rd party FW solution has not started first in the sequence of the service programs starting based on start dependency, it's not happening - period.
You go look at the services on the NT based O/S and you tell me the service or any service that's waiting for that 3rd party FW service to start before any service starts.
Then show me any service on the NT based O/S that's dependent upon the
3rd party PFW solution service installed on the NT based O/S. You can clearly see the dependencies for any service program on the NT based O/S that are being used.
Keep in mind now, that I have written Windows NT service programs and I absolutely know what they are about and how to implement a NT service program. I know about setting dependencies for a NT service program and how to do it.
I am a programmer and that's my livelihood is to write programs with Windows NT service programs being one of the many types of programs I have written to run on the MS platform. No 3rd party PFW solution is going to be installed on that computer that interfaces with the NT services used by the O/S -- none. It's not happening.
I don't care if it's an O/S of course it's an O/S. However, the O/S running on that standalone solution is not running on the host computer and CANNOT be attacked like the solution running with computer's O/S.
I don't see any programmed solutions that are attacking a standalone appliance or that has completely taken out or defeated it like a PFW or host based solution can be taken out, circumvented or defeated just like the computer's O/S can have it happen to it.
For most part, any software that's written by a fallible Human Being can be beaten. But, the standalone solution cannot be taken out like the host based solution that runs with the computer's O/S and that's a fact.
It's a test for my purpose in this case. And I have used it to make the tests on several PFW(s). What do you think Gator is doing? It's not attacking the machine or destroying the O/S like malware can attack a machine or the O/S.
It's just a series of programs that gathers information and connects out to its site using Svchost to connect out well before that PFW can get there to stop anything. And Gator can be uninstalled. Those PFW(s) are not stopping Gator on the boot and logon sequence. It's not happening and they are NOT stopping anything that can get there first.
I know how to go look at what's happening on the computer using the Windows O/S.