Re: Would a firewall prevent Sasser worm?
From: David W.E. Roberts (nospam_at_talk21.com)
Date: Wed, 5 May 2004 17:33:05 +0100
"Leythos" <email@example.com> wrote in message
> In article <firstname.lastname@example.org>,
> email@example.com says...
> > "Close all ports that you do not absolutely need on your machine"
> > should surely be the first bit of advice. Then after you have done that
> > also install a firewall for that extra bit of protection.
> The problem is that most people don't have a clue as to how to close
> ports, setup IPSec rules, etc... Most people don't even know to enable
> the ICF on their machines.
> The best thing people can do is purchase a cheap router with NAT and use
> it from the moment they get their computer. This lets them download the
> updates, install and update the AV software, etc... before they have a
> chance to get hacked.
> I put this back on the ISP's - they provide a open connection and don't
> warn the unsuspecting public about the risk/problems. If they just
> enabled NAT by default on their routers (DSL or Cable) most of this
> problem would go away.
NAT by itself doesn't do much for you - because safety depends on who is on
your side of the router.
In a SOHO environment then NAT is pretty damn good - because you know all
the people behind the NAT router and you don't expect them to hack you
(although one PC with a worm behind your NAT router can gut all the other
local PCs). Safest is one PC behind a NAT router - nobody else to compromise
If an ISP has a NAT router then (unless I am missing something) all the
other customers (at least those served by your particular router) will also
be your side of the router, and able to port scan you anytime they want.
I think that most ISPs will have firewalls between their own customers and
the Internet - if only to protect their own machines and routers.
It is the customers within your ISP who are likely to threaten your PC - and
I don't think having NAT on an ISP router would help much.
Having each port on the router firewalled against incoming traffic would be
nice - most ISPs already block port 25 to prevent open email relays and
presumably other ports could be blocked also.
However there will always be someone who wants unusual ports open for
incoming traffic (PTP probably) so administration could be a nightmare.
Buy your own NAT router and don't rely on a 3rd party.