Re: Port Filtering - Got it & Follow-up
From: David (davidwnh@adelphia.net)
Date: 03/14/03
- Next message: David: "Re: Firewall updates - are they necessary?"
- Previous message: Blake McNeill: "Re: Netgear FR114P"
- In reply to: James Kent: "Re: Port Filtering - Got it & Follow-up"
- Next in thread: Joseph V. Morris: "Re: Port Filtering & Web Browsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Fri, 14 Mar 2003 10:21:08 GMT
Sounds good Jim. The key is that basic NAT built into a c/d router will stop
a vast majority of attacks simply because someone needs an established
session for there to be a public to private address mapping. A lot of that
goes out the window when you open a service to the internet or put a
computer into the c/d router's DMZ because you are allowing unsolicited
sessions to be set up. Many of these NAT router's weakness is that they do
no port filtering within established sessions, so individual sessions can be
used to work one's way to other ports, hence services, which you would
normally assume to be blocked. Much of this can be avoided if the router
implements SPI. Since your router does have port filters however, what you
need to do is make sure you are setting them up so that they enhance what
security is already there without punching other holes in it. By using port
forwarding as opposed to a DMZ you are only initially opening up the service
ports that you want to for unsolicited connections and the rest of your
connections to that server are still under the inherent protection that NAT
provides. You can add additional packet filters to keep someone from using
their initial session to get at other service ports, but if you start using
filters to open port access you can severely hinder what the router is
already providing if you are in the router's DMZ particularly if these
filters are not there to restrict what IP addresses are allowed in. If your
router has SPI it will prevent someone from going after another service
within the context of an ongoing session because SYN packets are blocked
within the context of an established connection.
So if you port forward to the web server as opposed to using the DMZ your
rules used to open access for your own client applications won't leave such
gaping holes, the rule to block high ports is a bit less necessary, and if
the c/d router has SPI it is almost totally unnecessary in the first place.
You need to keep in mind that the DMZ of a NAT router is very different from
the DMZ of a multi-homed firewall. On a cable/dsl router you generally want
to use port forwarding for services using a static ports and leave the DMZ
for applications which use dynamically allocated secondary ports(or
honeypots).
I don't blame you for being vague about what you are using but I needed to
know if you had a NAT device and/or SPI and/or are using a router's DMZ as
opposed to port forwarding because the way you want to set up port filters
relies heavily on these factors. In any case I think you see why some people
set up webservers as standalone servers and don't use them for anything else
that isn't totally necessary.
> Thanks for the input. Yes, it is a DSL router with packet filtering, sorry
> for being vague. I don't know if it is stateful or if I can filter on
> session status, but it supports NAT so I will look into it. Incoming UDP
is
> shut down to the whole machine, and after considering the alternatives I
> have decided to not allow any other open ports (besides 80) since browsing
> is not a necessity and security is more important. Maybe when I get a
little
> more time I will look into port forwarding or some kind of state filtering
> as you suggest.
>
> Thanks again,
>
> james
>
- Next message: David: "Re: Firewall updates - are they necessary?"
- Previous message: Blake McNeill: "Re: Netgear FR114P"
- In reply to: James Kent: "Re: Port Filtering - Got it & Follow-up"
- Next in thread: Joseph V. Morris: "Re: Port Filtering & Web Browsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
