RE: NAT, Internet access and security

From: Wesley Song (wes@atlassupportcenters.com)
Date: 01/11/02


From: "Wesley Song" <wes@atlassupportcenters.com>
To: <security-basics@securityfocus.com>
Date: Fri, 11 Jan 2002 11:03:27 -0700

The purpose of the stealth rule is so that when they ping the IP of the
firewall it will not respond. If you have other servers, then they
should be on different IPs and should be redirected through the
firewall. The purpose of this is so that if you have your firewall
setup, then they can't hack the firewall itself. If you have a
webserver for instance, then they can still hack the webserver. This is
the reason for hardening and for the vigilance to patch the OS that runs
the webserver. A firewall is not a cureall, it does a specific job, to
control traffic. If you want better protection on any server that has a
window to the outside world through your firewall, you might want to
think about an IDS

Wesley Song
Systems/Network Adinistrator
Atlas Support Centers
303.692.0451 x270
720.205.6079

-----Original Message-----
From: ___cliff rayman___ [mailto:cliff@genwax.com]
Sent: Wednesday, January 09, 2002 6:33 PM
To: Bourque Daniel; security-basics@securityfocus.com
Subject: Re: NAT, Internet access and security

Bourque Daniel wrote:

> Normally, you want your FW to be as invisible as possible (black hole)
so
> you just drop all incoming packet that are not specifically allowed in
by a
> rule. What you can't see can only be attack by guessing. Rejecting
give
> back information to the bad guy...

hmmm....
i think it is a black hole only if it does not respond on any port. that
is,
every port is drop (deny). of couse, in that case, nothing gets through
the network. if you drop packets on most ports, but allow some in on
others, you are telling the "bad guys" that you are using a firewall
and that you drop packets instead of reject them.

if you reject packets, then you might just be a host that does not have
that service running. in either case, i don't think it is going to make
much of a difference to most "bad guys", since they will just try and
hack you on the ports that are open in any case.

>
>
> In the case of a smtp mail server, it's better to reject incoming
IDENT
> request otherwise, you will have timeout problem with the smtp
delivery of
> your mail going out to some servers..

this is true!

> I had heard that it is better to have a 'reject' rule instead of a
> 'deny' one, as reject will give back an immediate reply to the
> interrogator, while just rejecting the query can give you a multitude
of
> 'retry', which can eat you bandwidth with lots and lots of retries. If
> possible, can somebody point me where can I get correct information on
> this (white papers, hints, tips, anything..)
>
> Nick wrote:
>
> > I was under the impression that the "stealth rule" was to have
anything
> > going directly to your Firewall dropped, therefore making your FW's
> > addess a "black hole". It never answers anything, except what you
> > specifically allow for management purposes.

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/



Relevant Pages

  • Re: Help In network configuration.
    ... port of a router. ... 2] I will run a cable from Internal Port of router to the ... external port of firewall. ... Servers Switch. ...
    (microsoft.public.win2000.networking)
  • Re: What is this?
    ... >This event is generated when TCP traffic to port 0 is detected. ... This fails on a properly set up firewall. ... accessible DNS servers - one in the DMZ, and two located at our upstream. ... All internal DNS requests go to servers behind the firewall, ...
    (comp.security.firewalls)
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help
    ... > protection with a single firewall so you need to be real thorough. ... > addresses on the external ethernet adapter to publish both webservers on ... > run on a different port. ... This way you can put your lan and servers on separate subnets ...
    (comp.security.firewalls)
  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
    (freebsd-questions)