Re: Would a firewall prevent Sasser worm?

From: John Brock (jbrock_at_panix.com)
Date: 05/07/04


Date: 7 May 2004 10:24:47 -0400

In article <2g121oF3c4edU1@uni-berlin.de>,
David W.E. Roberts <nospam@talk21.com> wrote:

>"John Brock" <jbrock@panix.com> wrote in message
>news:c7dsoq$5u9$1@panix1.panix.com...

>> At home I connect two PCs to the Internet through a Linksys BEFSX41,
>> which has a built in "Stateful Packet Inspection firewall". In
>> terms of security from external attacks what advantages (if any)
>> does this have over a vanilla NAT router, like the BEFSR41? (Note
>> that I am the only user of the two PCs).
>>
>> Also, if I were to turn off the BEFSX41 firewall would I still have
>> the same level of protection that I would have with any NAT router?

>AFAIK the SPI bit gives you additional protection against Denial of Service
>[DoS] attacks designed to confuse your router by sending malformed packets
>or packets with e.g. only the first half fragment of a two part packet.
>These can cause the router to fill up the incoming buffers waiting for the
>second half of the packet, and crash the router.
>SPI looks at the incoming packets, and those queued in the router, and
>decides if they are causing problems and need to be thrown away.
>There are a variety of known attacks which can crash routers, and SPI
>provides at least some protection against these.
>So you have more protection than just NAT.
>
>Having said that, DoS attacks require a significant amount of resource
>(usually several machines acting in concert) and so are usually aimed at
>high profile targets.
>It is unlikely that a 'hacker' would launch a DoS attack at any (or every)
>unprotected PC on an ISP.
>
>The more likely attack on a 'vanilla' PC on an ISP is port scanning,
>followed by an attempt to use one of the many well known exploits against
>specific ports where they are found to be open.
>
>This is easy to automate, and can be left running long term with a low
>profile.
>
>A bit like walking down a street full of cars and gently trying each door
>handle until you find one that is unlocked. Or looking through each car
>window until you see one with the keys in the ignition.
>
>So NAT is the major protection but in a pretty dumb way - whatever the
>question the answer is NO!
>
>SPI gives you more protection and is a good thing, but people (IMHO) can
>live without it.
>
>Firewall capability allows you to modify the NAT behaviour to allow selected
>incoming calls to selected destinations, which is good for online gamers,
>and people running their own web and mail servers.
>
>Full firewalls allow you to do all sorts of cool things but tend to cost
>uncool amounts of money and require a higher spec. router.

Thanks for the answer. If I may try to boil it down, it looks like
you are saying that NAT is a perfectly good firewall for a home
user who has no reason to think he will ever be the target of a
DoS attack (which is to say most home users) and has no desire ever
to allow outside computers to initiate connections to his machine.
Is that right?

Or let me put it another way: If I am using a NAT router and I go
to a security site like grc.com and use its ShieldsUP! facility I
should see nothing but closed ports, which means that while it's
possible for a hacker to disrupt my Internet connection with a DoS
attack it is *not* possible for him to break into my machine. Yes?
You are saying that what an SPI firewall does is allow you to expand
on this basic protection, allow certain incoming connections, and
perhaps filter outgoing connections in various ways. Right?

I bought my BEFSX41 firewall/router because I had gotten the
impression from various reading that a NAT router, while helpful,
fell short of complete protection from outside break-ins. I don't
resent spending the extra money, but it looks like you are telling
me that I was mistaken, and that for my purposes NAT alone would
have been sufficient. The thing is, I may be helping another home
user get set up for broadband soon, and if a NAT router is all she
needs then there is little point in making things more expensive
and complicated by getting a full firewall/router. But I don't
want to leave this person open to infection either, so I want to
make sure I understand the issue fully. Can you point me to any
helpful web sites which go into the issue of NAT as firewall in
more detail?

-- 
John Brock
jbrock@panix.com


Relevant Pages

  • Re: New modem and iptables...
    ... The router performs firewall and NAT functions ... If you want to persuade me it's a modem, ... it's a router and _it_ has your public Internet address. ... It also does NAT (otherwise you couldn't have a private IP address on ...
    (Fedora)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
    (comp.security.firewalls)
  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)
  • RE: Nortel Contivity 2600
    ... For the 'why NAT and IPSec don't play nice together' question, ... Before deciding where to connect the VPN device (firewall, inline IPS, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)