Re: Would a firewall prevent Sasser worm?
From: David W.E. Roberts (nospam_at_talk21.com)
Date: Thu, 6 May 2004 11:27:31 +0100
<firstname.lastname@example.org> wrote in message
> In comp.security.misc Leythos <email@example.com> wrote:
> > In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> > firstname.lastname@example.org says...
> >> If an ISP has a NAT router then (unless I am missing something) all the
> >> other customers (at least those served by your particular router) will
> >> be your side of the router, and able to port scan you anytime they
> >> I think that most ISPs will have firewalls between their own customers
> >> the Internet - if only to protect their own machines and routers.
> > I wasn't talking about the ISP doing a NAT for their network, I was
> > talking about the ISP enabling NAT on the Cable/DSL modem at each
> > customers location. Free, works great, blocks uninvited inbound.
> ???? What does this mean ????
> I'm not aware of any Cable modem with an IP stack, so they simply
> wouldn't be capable of doing NAT. I imagine DSL modems are the same.
> The ISP could provide a NAT-enabled router of some sort in addition to
> the Cable/DSL modem, but that would be an extra cost....
Wandering a bit now, but....
In the UK for (A)DSL you generally get:
(a) a USB DSL modem which plugs directly into your PC and leaves you
potentially exposed to the Internet.
This is the general base level install from an ISP and does leave you
exposed if you don't understand and deal with the security risks.
So I tend to agree that the base level install for DSL should be a
The most basic modem/router - DSL in, one Ethernet port out - costs little
more than a USB modem.
The main issue is where a PC has a USB port but no Ethernet port.
(b) a modem/router i.e. a DSL modem inside a router which provides NAT. The
most recent offerings give you a modem, router, SPI firewall, 4 port 10/100
switch, and an 802.11g wireless AP all in one box and under £100 UKP.
Generally you can get these as part of a package from the ISP, or get a
'wires only' install and buy your own.
IMHO the sensible way to go.
AFAIK in the UK for cable you usually get:
A cable modem which does cable in one end and Ethernet out the other and not
The thinking user gets a 'Cable/DSL router' (but for DSL see above) which is
essentially the same as the DSL modem/router but with an Ethernet WAN port
instead of the DSL modem.
The WAN side connects to the cable modem and the PCs sit on the LAN side via
UTP or 802.11x.
I have no idea why these are called 'cable/DSL' routers because it cause no
end of confusion for naive users who buy one thinking it can connect to DSL,
only to find they need a modem with an Ethernet port (which are as rare as
rocking horse droppings because single port modem/routers cost the same so
who would buy one??).
But I digress :-)
P.S. for increase security on a network with more than one PC, you can use a
cable/DSL router to build a true DMZ i.e. have your ADSL modem/router, into
your DMZ LAN, off which hangs your mail/web/whatever server and the cable
router, which fronts you 'green' LAN and uses NAT (and possibly SPI
firewall) to protect your PCs from any intruder who gets into your server.