Re: Just want to keep the crap out!!

From: Rod Engelsman <rod.engelsman@xxxxxxxxx>
Date: Sat, 25 Mar 2006 15:40:03 -0600

Volker Birk wrote:

DigitalVinyl <DigitalVinyl@xxxxxxxxxxxx> wrote:

Any soho router will provide the majority of protection through
hardware NAT. (various irate counter replies I'm sure will follow)

Yes, because NAT is not a security feature, and never was intended for
being one.

But it's a nice side-effect. Really, Volker, aren't you the same guy
that's constantly harping that all you really need to do is a) turn on
the Windows firewall and b) turn off all services? NAT (or more properly
PAT--port address translation) essentially does the same thing. At any
given time the only open paths through the router will be a couple of
high-numbered ports that don't connect to any services. At worst,
someone could monitor your traffic and send garbage to your browser or
whatever. They could never send anything to really dangerous ports
because they won't be open through the router.

While NAT attacks theoretically exist, nobody is targetting your
device so focusedly to exploit these concepts

Do you really know every attacker in the Internet, every programmer
of automated attacks?

Real world: Nobody gives a rat's ass what I have on my computer. Not
enough to spend any time trying to hack me. Even identity theft is
normally a bulk job by hacking websites that store personal info. The
value of home computers to hackers is in creating botnets to set up DDOS
attacks and such. This is accomplished when you unwittingly install crap
on your own machine by opening email attachments promising naked
pictures of Britney Spears.

This proves out in the real world. Professional firewalls will be
better but any outgoing NAT really protects you from scans and general
exploit attempts, msmessnger service pop ups(port 1024-1029), etc.

Why not some filtering extra?

You mean outgoing? Content filtering in reverse?

--

Rod
.

Follow-Ups:
- Re: Just want to keep the crap out!!
  - From: Volker Birk
- Re: Just want to keep the crap out!!
  - From: Sebastian Gottschalk

References:
- Just want to keep the crap out!!
  - From: dawg
- Re: Just want to keep the crap out!!
  - From: DigitalVinyl
- Re: Just want to keep the crap out!!
  - From: Volker Birk

Prev by Date: Re: Cannot get Cerverus ftp server to work
Next by Date: Re: Vulnerability and Penetration Testing?
Previous by thread: Re: Just want to keep the crap out!!
Next by thread: Re: Just want to keep the crap out!!
Index(es):
- Date
- Thread

Relevant Pages

Re: Port scans through NAT router?
... Volker Birk wrote: ... would one go about forwarding unsolicited traffic to a privately addressed host across a NAT? ... NAT router. ...
(comp.security.firewalls)
Re: Would a firewall prevent Sasser worm?
... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
(comp.security.misc)
Re: Would a firewall prevent Sasser worm?
... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
(comp.security.firewalls)
Re: Would a firewall prevent Sasser worm?
... >> the same level of protection that I would have with any NAT router? ... >There are a variety of known attacks which can crash routers, ... >Firewall capability allows you to modify the NAT behaviour to allow selected ...
(alt.computer.security)
RE: Nortel Contivity 2600
... For the 'why NAT and IPSec don't play nice together' question, ... Before deciding where to connect the VPN device (firewall, inline IPS, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
(Pen-Test)