Re: Are you protected by NAT?
From: Larry W4CSC (spaminator@knology.net)Date: 06/11/02
- Next message: Larry W4CSC: "Re: ZA and intermittent broadband cut-outs"
- Previous message: George: "Re: Here's the Information on My Attacker"
- Maybe in reply to: Zā¢: "Are you protected by NAT?"
- Next in thread: those who know me have no need of my name: "Re: Are you protected by NAT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: spaminator@knology.net (Larry W4CSC) Date: Tue, 11 Jun 2002 02:56:26 GMT
On Mon, 10 Jun 2002 23:46:16 +0000 (UTC), "SysAdm"
<wjones@sitesmith.com> wrote:
>um, squeeze me, but there's 2 sides to a NAT -- As far a internet NAT is
>concerned, there is a *public* and private address.
>
>so, if youre talking bi-directional NAT then NAT on its own doesnt provide
>an effective security solution at all.
Ok, so go ahead and trash my computer on 192.168.0.3. I'll
wait........
>
>so, lets take it that youre talking about outbound-mode NAT - ie. just using
>NAT for allowing outbound traffic to surf the web etc. you think youre safe
>?? wrong.
>a maliciously crafted application or cross-server script would render the
>NAT useless as NAT itself would not provide any packet filtering for the
>return packet.
True. But, of course, you are talking about an INTERNAL
worm/virus/trojan opening a hole in the NAT and listening for a call
through it from its script kiddie, right? The up-to-date virus
scanner, mostly, eliminates this possibility. You are also talking
about scripting. Scripting is UNINSTALLED on all systems, here.
Which type of scripting are you talking about? .vbs....no host to run
it on. Javascript?.....disabled and its dll deleted. We CAN, and do,
live without scripting, here. The applications, etc., are scanned by
Symantec. It updates daily.
I received 8 viruses, today, in email. Want one? I saved the new
ones that were different than Klek. They were all W32. virii. Of
course, because Pegasus 4 will not RUN them, they are quite harmless,
unlike Outlook they were written for. Some were filtered before I got
them by myrealbox.com at Novell. Great serverware. Too bad Knology
uses some freebieware for Linux that doesn't do it for me....No
matter, nothing RUNS so nothing's installed. Gimme your FTP server
address and I'll upload them for you to play with...(c;
>Neither will NAT mask host information, so log files contained on servers
>you have connected to, could show your OS type / private address and netbios
>info (if applicable)
There are no 'BINDINGS' here, except TCP/IP. NetBIOS, sharing, etc.,
are all uninstalled. My ports list on every machine looks like:
C:\WINDOWS>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1857 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8081 0.0.0.0:0 LISTENING
TCP 192.168.0.2:1027 216.168.3.40:119 ESTABLISHED
TCP 192.168.0.2:1857 216.168.3.40:119 ESTABLISHED
The two ports ESTABLISHED are to Supernews. One I'm using to send you
this message. The other is Xnews downloading disgusting pornography
of beautiful women being molested by men I wished I looked like that
have no brains. The port 8081 on 127.0.0.1 is WebWasher waiting to
proxy html for me so I don't have to be spammed to death just to find
out what the weather is for tomorrow. (www.webwasher.com) fantastic
software for your browser.
>If you havent configured youre border router effectively, you could be up
>for a directed broadcast attack, or a smurf attack - both of which NAT would
>provide no security against.
Yes. AS good as any home user can have at this price. The lights
here go crazy several times a week on the WAN side and modem. No
firewall has ever reported anything unusual for months on end. I used
to leave NIS 2002's firewall running, just for fun. Although set to
paranoid schitzophrenic, it never reported anything, of course. When
Virtual Suicide from suicide.netfarmers.net was online, I turned it
loose, full tilt, on the Netgear...the whole storm. It took a long
time as the Netgear doesn't answer, even simple pings. I was immune
from the Virtual Suicide attack. I've tried all the others with
similar results. Unless a virus opens an easily spotted hole in the
NAT, it seems fairly safe. (by the way NIS2K DIDN'T survive the
attack from Virtual Suicide. The DoS just killed it!)
>
>NAT is a good thing - but it wasnt invented as a security tool, it was
>invented to combat public-IP address space deletion. Using it alone to
>provide security is a *bad* move.
We know that. But, for the "home user" who's main attackers are from
the script kiddies looking for SubSeven, or some idiot pinging 100
times per second, etc., NAT is a fine way to keep your computer from
these nuisance DoS attacks. The military's most defended mainframe
isn't immune, either, as has been proved over and over. But, us "home
users" aren't the TARGETS of these attacks, either. For the average
Joe like me out here on the net with his Windoze box foolin' around,
the NAT is more than he needs. It just makes more sense than having
some FUDware popping up windows telling him what a great idea it was
of him to buy the FUDware, ad nauseum, every 8 seconds when he gets a
call from some kid in his bedroom scanning SubSeven.......
Larry
- Next message: Larry W4CSC: "Re: ZA and intermittent broadband cut-outs"
- Previous message: George: "Re: Here's the Information on My Attacker"
- Maybe in reply to: Zā¢: "Are you protected by NAT?"
- Next in thread: those who know me have no need of my name: "Re: Are you protected by NAT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
