RE: seeking a better understanding
From: Nick (bombdudeusmc@yahoo.com)Date: 01/22/02
- Previous message: H Carvey: "Re: win2k ports"
- In reply to: apif: "RE: seeking a better understanding"
- Next in thread: Keith T. Morgan: "RE: seeking a better understanding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nick <bombdudeusmc@yahoo.com> To: apif@sbcglobal.net Date: 22 Jan 2002 08:21:44 -0500
I saw good answers to the first question, so I will attempt to shed some
light on the second.
Packet inspection with a home router (?) is a "packet filter" strictly
inspecting IPs. This can be trivial to overcome. Src port blocking is
adding a little, but also can be overcome by someone with the knowledge
of packet crafting. Hide NATing (also known as PAT) will give you more,
but it's more along the lines of security through obscurity.
Think of it this way: If someone wanted to get in, they could send a
packet, crafted properly, with the "established" bit set. This would
get past most "packet filters". Depending on how you're implementing
source port blocking, it may or may not get through that. If they were
running a traffic analyzer on the local segment (cable modem) they could
see what connections you were attempting, and possibly hijack the
session. This would get through the NAT, because they would be
responding to a legit request, with a packet that spoofed the IP you
were connecting to. So depending on how bad they wanted to get in, it
wouldn't take a Herculean effort.
Having said all that, you need to take into consideration what it is you
are protecting. If it's a simple web server with your personal home
page on it, harden it so that if someone traversed your router, they
couldn't use you as a beachhead or zombie for a Ddos elsewhere. If it's
a server that is advertising your consultancy, or selling product, then
spend a little more to protect your assets, and get a middle box to run
your firewall. IP tables with stateful inspection can be done cheaply
enough.
HTH
Nick
On Sat, 2002-01-19 at 05:25, apif wrote:
> I recieved one response to my original post... so maybe I am not in the
> right conference / newsgroup. If this is so, please let me know. Otherwise,
> the two following questions would scoot me along to understanding what I
> need about basic security. Thanks.
>
> 1. Given port 80 (and only port 80) is open to the outside world, if someone
> were to breach that port, could they do more than deface my website?
>
> 2. Is a home router that does src port blocking, packet intraspection, and
> NATing enough, or do I need a middle box running some form of firewall
> software too?
>
> -----Original Message-----
> From: apif [mailto:apif@sbcglobal.net]
> Sent: Wednesday, January 16, 2002 2:25 PM
> To: security-basics@securityfocus.com
> Subject: seeking a better understanding
>
>
> All,
>
> Where to begin? I have a home network, and am considering putting in a web
> server. At this point I am considering the security of it. I suppose the
> best way to help you in helping me is to tell you a little about me, my
> network, and how I plan on using this.
>
> I'm from a technical background and support MS servers. I have very little
> experience in Linux, and only a little in security. Security mostly comes
> from another group in my company.
>
> My connection to the internet is DSL. I am planning to upgrade it to a
> premuim connection so that I can have static IP's. A domain name and DNS
> registration will be a course of action further down the line.
>
> My home network consists of less than 5 boxes, each running varying O/S's.
> All MS O/S's are running personal firewalls. Other boxes are Linux.
>
> I have a netgear R0318 router which is up to date on it's firmware. It
> supports NATing, packet intospection, and blocks ports except where I
> specify they should be allowed through.
>
> So here is the run down. I'm weak on Linux, but that is what I want to put
> the web server on. It will run on Apache web software. All machines are
> behind the router, and all addresses are NAT'd. I would project out port 80
> for the Slackware Linux machine, and no others (except maybe FTP at some
> point unless you think this would not be wise). I currently do not have any
> A/V software on my linux box (and to be honest, have no idea what sort of
> A/V to put on a linux box).
>
> Now that you have the background, my questions comes down to this. If port
> 80 is the only port allowed through, and someone chose to attack this port,
> could they compromise my system, and if so how? What other steps should I
> take to protect this system? I see IPTables (I guess it replaced IPchains)
> in slackware. I know this is a firewall, but I don't think it is like the
> personal firewall I have on MS boxes. I suspect it is more like a full corp
> class firewall, and probably as complicated. Should I be using this on my
> Slackware machine? Do you have any suggestions of what A/V software I should
> use on a linux machine, and do the spot trojans as the MS ones do? Thank you
> for your time. I'm sorry this was so long.
>
>
-- Nick Network Security Consultant CISSP, CCSI, MCSE, CCNA Lucent Technologies/NPS Raleigh, NC_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
- Previous message: H Carvey: "Re: win2k ports"
- In reply to: apif: "RE: seeking a better understanding"
- Next in thread: Keith T. Morgan: "RE: seeking a better understanding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
