Re: Stateful packet inspection for home users

From: Leythos (void_at_nowhere.com)
Date: 09/08/03 

Date: Mon, 08 Sep 2003 14:29:16 GMT

In article <Xns93F05C0CE9551notmenotmecom@63.240.76.16>, notme@notme.com
says...
> Leythos <void@nowhere.com> wrote in
> news:MPG.19c63f26b74d0f85989c1a@news-server.columbus.rr.com:
>
> > In article <Xns93EFE8C1451E4notmenotmecom@204.127.199.17>,
> > notme@notme.com says...
> >> For the most part, a NAT router without SPI will stop most casual
> >> attacks from unsolicited inbound traffic. But for a more determined
> >> attack that has come pasted my Linksys BEFW11S4 NAT router aimed at
> >> SQL Server on my machines, the router was useless, as the attacks
> >> came through the router like a hot knife through butter on the wired
> >> and wireless sides of the router. The statefulness and the IDS/FW of
> >> BlackIce stopped the attacks.
> >
> > Duane - something else was wrong. I've have the BEFSR41 since they day
> > they hit the market (currently using a Watch Guard Firebox) and was
> > using it when the Slammer worm hit. Not one packet made it in to my
> > network and the BEFSR41 doesn't have SPI.
> >
> > If you were getting inbound to the LAN on 1434 then you had it open or
> > someone had control of your router.
> >
> > Maybe you confused the inbound 1434 being blocked and the DNS
> > resolution of Wall Watcher with it being internal?
> >
> >
>
> Leythos -- this happened well after the Slammer thing and Wallwatcher had
> been in use for a few months. I have SQL Server running on the desktop
> and VB.NET with its Framework with some SQL components installed on the
> laptop. Both machines took the hits and on different days.
>
> I have not had the hits again, although the two IP(s) are constantly in
> the router logs being Intrusion alerted on by Wallwatcher. BlackIce as a
> IDS applications may get some false positives at times for a machine
> connected directly to the Internet, but BI is not going to RED alert for
> no reason setting behind a router. I have not heard from the two IP(s)
> again as I have set rules in BI, to reject those two IP(s) on all ports.
>
> Then after the two incidents, I started reading up on NAT and found
> several articles on NAT security, the one below was one of them. I also
> started reading on SPI too and what it does.
>
> http://www.atltelecom.com/support/trans/abr/nat.htm
>
> My conclusion is that a simple NAT router can be defeated by a determined
> attacker. It's kind of hard to mis-configure a Linksys router.
>
> However, I will say nothing is impossible from a mis-configuration stand
> point. I use to have a bad habit of just leaving the machines logged on
> and letting them time out. I don't do that anymore.

Duane - I would hazard a guess that it was NOT the router that let them
in, but possibly an unpatched .Net framework or other service that you
were forwarding inbound - unless you left 1434 open.

I've installed many NAT routers, not just the linksys, and I feel 120%
safe in stating that uninvited inbound is not possible without port
forwarding of some type.

The article you mention only states:
Security
NAT rules explicitly define the access permissions available for devices
on the network. This will prevent casual and accidental access
violations and will help to improve the security of the network. It will
not withstand a deliberate attack however and is not intended for use as
a firewall.

As all of us have said, NAT is not a firewall, it can be built into
firewalls.

With this in mind, I can see no valid method for a packet, esp. the
slammer worm, to get into the LAN side of your network unless you
exposed your network using port forwarding. It could be that you read
something wrong or that you had a machine listed in the DMZ, or that you
put a bogus IP for the DMZ address. If it was a DMZ IP that it got into
then yes, it did make it in, but NAT had nothing to do with it - the
Linksys routers will forward ALL INBOUND traffic not declared in a
specific port forward to the DMZ IP. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)