Re: Just want to keep the crap out!!
- From: Rod Engelsman <rod.engelsman@xxxxxxxxx>
- Date: Sat, 25 Mar 2006 22:49:58 -0600
Sebastian Gottschalk wrote:
Rod Engelsman wrote:Volker Birk wrote:DigitalVinyl <DigitalVinyl@xxxxxxxxxxxx> wrote:But it's a nice side-effect.Any soho router will provide the majority of protection throughYes, because NAT is not a security feature, and never was intended for
hardware NAT. (various irate counter replies I'm sure will follow)
being one.
It *can be* a side-effect, not necessarily reliable. Too many defective
implementations out there, and actually a full-forwarding 1:1 NAT is not
even a defect.
What would count as an unreliable implementation? Holding the return port open too long? Even if it did, your computer wouldn't be listening anymore after the FIN. And that's on a high random port out of range of any listening services. The only thing a dead-stock XP machine is going to be listening on is the Windows networking; what is it? 136-139 and 445? PAT/NAT always sets the return port above 1023.
And a full-forwarding 1:1 NAT may not be a defect, but you would have to deliberately configure a consumer device for that and it would take more than just checking the wrong box in the web GUI. It won't come out of the box that way; it would be a deliberate act of stupidity. It's hard to think of a good reason to do that.
At any
given time the only open paths through the router will be a couple of
high-numbered ports that don't connect to any services.
Like RPC on 1025-1030? 1433,1434? 5000? So far nothing been on 3124 and
4500.
You *might* have some vulnerability on those ports, depending on what you have running. But even here we're talking about a dozen or so ports out of 64000. The odds are about 5000:1 against you accidentally having one of those open for a short time.
Real world: Nobody gives a rat's ass what I have on my computer.
Not enough to spend any time trying to hack me.
That's why exploits are automated and targeting a broad mass of
potential targets.
And the potential targets are people with brand, shiny, new Dells plugged directly into a DSL modem. Or even worse, some poor schmuck running Win98. And IE and OE. Generally, the clueless herd.
The best thing most folks do to increase their security is buy a second machine and be forced to get a Linksys or D-Link to share the connection.
The value of home computers to hackers is in creating botnets to set up DDOS
attacks and such. This is accomplished when you unwittingly install crap
on your own machine by opening email attachments promising naked
pictures of Britney Spears.
Or surfing the web with IE. Recently my Unpatched counter hit the 50 and
has never been 0 since 1998...
I keep mine patched. But about all I ever use IE for.
--
Rod
.
- Follow-Ups:
- Re: Just want to keep the crap out!!
- From: Sebastian Gottschalk
- Re: Just want to keep the crap out!!
- References:
- Just want to keep the crap out!!
- From: dawg
- Re: Just want to keep the crap out!!
- From: DigitalVinyl
- Re: Just want to keep the crap out!!
- From: Volker Birk
- Re: Just want to keep the crap out!!
- From: Rod Engelsman
- Re: Just want to keep the crap out!!
- From: Sebastian Gottschalk
- Just want to keep the crap out!!
- Prev by Date: Re: Netgear FSV318v3 firewall drastically slows down my connection
- Next by Date: Re: Netgear FSV318v3 firewall drastically slows down my connection
- Previous by thread: Re: Just want to keep the crap out!!
- Next by thread: Re: Just want to keep the crap out!!
- Index(es):
Relevant Pages
|
