Re: LinkSys BEFSX41 Questions

From: David (davidwnh_at_adelphia.net)
Date: 05/08/03 

Date: Thu, 08 May 2003 03:24:02 GMT

One of the big problems with how NAT is implemented on many of these routers
is that it does not check tcp flags. So someone could start a new secondary
session by matching the necessary information from the primary sessions NAT
entry. By adding SPI you can effectively stop some of this because it looks
for and drops packets with the SYN flag set. You can still be left with
holes because the router isn't dropping syn packets on ports used with NAT
translators for specific protocols.

>In addition to this, I have read
> articles and have witness NAT on my network not provide adequate
protection.
> NAT can stop the casual attack, but it cannot stop a deliberate attack on
> the router and I have seen probes come past the NAT router. I don't think
> that would be so if the NAT router had SPI, but that is based on how good
> the manufacture of the router is in programming SPI program.
>

The problem is with the port assignment. Many of the cable DSL routers have
NAT translators written for H323 so NAT is not ultimately the issue. But it
would be too much of a performance hit on the router if it had to check
every single UDP packet going to the high ports to see if it was related to
an open H323 session as opposed to some other session. Not something you
would expect a cheap device to do well particularly with high bandwith video
streams.

So you can port forward the entire range of high ports for UDP, look at the
specific high port assignment each time you run netmeeting and only port
forward that port, use ICF with WinXP to dynamically port forward via UPnP,
buy a UPnP router (which to this point either don't work right or forget to
close down dynamically assigned ports when you are done with them), or buy
one of the more expensive H323 proxying devices.

> > The H.323 dynamic Port assignment thingy happens to the inbound side.
See
> > the "Note" at the bottom of ...
>
> I still think it's based on the dynamic use of the high ports by H 323 of
> outbound/inbound. If the computer has initiated the outbound and is
looking
> for inbound based on the initiated outbound, the router and the firewall
> should let in the inbound traffic to the machine. I don't think there
needs
> to be port forwarding in that case, but I could be wrong.
>

Relevant Pages

  • RE: cant access others computer anymore
    ... Lots of Access Point has Router function and may have build-in NAT support. ... only HTTP package from port 80) ... | When implementing a wireless solution you usually buy an ADSL ...
    (microsoft.public.windowsxp.general)
  • Re: How did they get past my NAT?
    ... network), I get no response, because there is no "Default host" set up ... behind my NAT, and no port forwarding for that port - if an explicit ... as I understand?), and not forwarded on the router, so there should be ...
    (comp.security.firewalls)
  • Re: Port Filtering - Got it & Follow-up
    ... The key is that basic NAT built into a c/d router will stop ... Since your router does have port filters however, ... You can add additional packet filters to keep someone from using ...
    (comp.security.firewalls)
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... >> Well the firmware for the 11S4 router has no FW like software like ... >> SPI so it wasn't and is not doing packet inspection. ... >> article Watchguard put out awhile back about how NAT routers can be ... > device opens a port by putting it in the NAT table, ...
    (comp.security.firewalls)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)