Re: Just want to keep the crap out!!



Rod Engelsman <rod.engelsman@xxxxxxxxx> wrote:
Volker Birk wrote:
DigitalVinyl <DigitalVinyl@xxxxxxxxxxxx> wrote:
Any soho router will provide the majority of protection through
hardware NAT. (various irate counter replies I'm sure will follow)
Yes, because NAT is not a security feature, and never was intended for
being one.
But it's a nice side-effect. Really, Volker, aren't you the same guy
that's constantly harping that all you really need to do is a) turn on
the Windows firewall and b) turn off all services? NAT (or more properly
PAT--port address translation) essentially does the same thing.

Unfortunately not. I'd like to see NAT routers, which do filtering by
default, too.

Unfortunately, for examle for FTP NAT traversal ("stateful FTP NAT") most
of the NAT implementations are not very secure. And, additionally, most
of them can easily tricked by spoofing an "internal" IP address as sender's
address in packets coming from outside. Most of them are routing this
packets to the inside.

So a filter is a good idea to have additionally, and unfortunately NAT itself
usually does not offer the same protection not offering services or at least
filtering servers does (like i.e. with the Windows-Firewall or another host
based packet filter).

Real world: Nobody gives a rat's ass what I have on my computer. Not
enough to spend any time trying to hack me.

Yes, usually you're right. But this is not the threat I'm talking about:
I'm talking about your box becoming a zombie for spammers or bot in a
botnet.

Of course, automatic attacks for Internet banking I'm waiting for. I cannot
understand, why so less attacks are here until now. Perhaps, also the
attackers are not very competent ;-) Years ago I explained a scenario how
to abuse Internet banking for making billions of damage and getting millions
of money out of it. And nothing happend until now. Fortunately.

Why not some filtering extra?
You mean outgoing? Content filtering in reverse?

No, i meant filtering packets which are coming from outside and seem to
come from inside because of spoofing.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain
.



Relevant Pages

  • IPFW: combining "divert natd" with "keep-state"
    ... I've been using ipfw for a while to create a router with NAT ... stateful filtering, instead using things like "established" to ... accept incoming TCP packets which are part of a conversation ... should the dynamic rules be created to match the pre-NAT ...
    (FreeBSD-Security)
  • Re: Sysctls for ipfw, some help please!
    ... Bridging might be required for NAT, ... Well, I've never used ipfw for MAC filtering, so take this basically as ... you can apply to those packets - in the case of ipfw, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: NAT Security
    ... I have never tried it myself for NAT but in Remote Access Management ... ports available to the world. ... are ipsec filtering or ip filtering, though these are no meant to be substitutes for ... > I do realise that a Firewall is the ideal solution, ...
    (microsoft.public.win2000.security)
  • Re: NAT vs. True Firewalls
    ... The NAT does no other filtering ... >> not just mean packet filter. ... >> or NAT with stateful inspection? ... > and filtering, hence are more than a statefull NAT. ...
    (comp.security.firewalls)
  • Re: Just want to keep the crap out!!
    ... of the NAT implementations are not very secure. ... address in packets coming from outside. ... The source port designation is a function of the TCP stack so it doesn't really matter whether that filtering is via the Windows firewall or a NAT router. ...
    (comp.security.firewalls)