Re: Just want to keep the crap out!!



Rod Engelsman wrote:

I guess we should distinguish between the concept of NAT and particular
implementations. Anything can be broken.

It looks to me like the simpler (read: cheaper) the NAT device the better.

Actually this is true to some point. The very-low-cost cheap
implementations don't have any connection tracking modules or only
pretty stupid one. But most low- and mid-cost consumer products are
trimmed for easiness of usage and therefore contain a lot of such
heuristics.

That's what a lot a customers do. "Something doesn't work? Try putting
your computer in the DMZ"

That's scary.

No, I've read such stupid advice way to often.

But even here we're talking about a dozen or so ports
out of 64000. The odds are about 5000:1 against you accidentally having
one of those open for a short time.

For 1025-1030 the odds are much more like 1:3.

I think you miss my point. The router is going to re-write the source
port on the outgoing packets.

Only if necessary!

The only unsolicited traffic that should be able to get through, even a
cheap NAT, is to ports corresponding to existing translations.

Put in some stupid heuristics and see how it breaks. F.e. most
implementations will forward TCP-based DNS replies from any server if a
DNS request appeared recently.

I mean, I could claim that wearing a seat belt makes you safer. You
could reply with, "What if the seat belt is damaged? What if it isn't
designed properly?" So you keep moving the goalposts, redefining the
argument.

Seatbelts usually aren't damaged. But common NAT implementations...

The only thing I'm claiming is that a NAT router is an improvement to
your security. SPI is much better. Content filtering and analysis is
better still. But better means more expensive. And more expensive means
fewer people will be willing to invest in that level of security.

A good host-based packet filter is free of costs. Try Wipfw. If you like
to create a discussion about good defaults for clueless homeusers, a set
of scripts and maybe a nice guy, this could actually turn into a serious
alternative to all those bullshit personal network discos.

I'm not going to spend $1000 to protect the $400 Dell box I use to surf the
web; it's just not happening.

I'm not going to pay anything for protecting a simple home user's
computer. A router is only needed if two or more have to share the same
line.

All I'm claiming is that a cheap NAT router that you buy at Walmart to share an
Internet connection is better than directly connecting a Windows box to
the modem. That's all. Not perfect, just better.

Better, but not much, and definitely not worth the money.

And in the real world, with the real threats that home computer users
face, that's all you really need. It's highly unlikely that anyone is
going to invest the time and trouble to orchestrate a man-in-the-middle
attack to hack my box.

Sure, that's why you're usually putting exploits in an advertisement
propagated through DoubleClick or alike to a lot of usually harmless
websites. Why not paying $1000 to target 10s or millions of computers? :-D

I don't have any real valuable assets to steal,
I'm not a government agent, I'm not a high-level corporate executive,
and with my credit rating you wouldn't even get much out of identity theft.

You have bandwidth, calculation power and storage space. And especially
you're usually clueless about your system.
.



Relevant Pages

  • Re: Just want to keep the crap out!!
    ... I guess we should distinguish between the concept of NAT and particular implementations. ... It should never assign a source port corresponding to an unrelated service. ... defective NAT implementations are as good as a direct connection. ...
    (comp.security.firewalls)
  • Re: aes decrypt encrypt
    ... She wants to plan sophisticated implementations ... around Ollie's route. ... Just teaching in connection with a ozone ...
    (sci.crypt)
  • Re: Processs PreciseMail AntiSpam Gateway - any experience so far ?
    ... Client sending system ... >> ISP using dynamic NAT with port overloading. ... >> 10.11.12.1 is the clients real address and it opens a connection from its port ...
    (comp.os.vms)
  • Re: WinRoute Pro
    ... If a RST is sent to a TCP protocol host, ... 1/ Check the NAT table. ... 2/ Open a TCP connection to a host using a port tool. ... Winroute's logs are no substitute for a decent packet sniffer. ...
    (comp.security.firewalls)
  • Re: Establish external trust over a NAT device
    ... suggesting hardware over Windows built-in functionality for a VPN solution. ... even a fairly cheap router will likely have much better throughput ... L2TP and routing over it with or without NAT on that connection. ...
    (microsoft.public.win2000.active_directory)