Re: Would a firewall prevent Sasser worm?
From: David W.E. Roberts (nospam_at_talk21.com)
Date: 05/07/04
- Previous message: David W.E. Roberts: "Re: Would a firewall prevent Sasser worm?"
- In reply to: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Next in thread: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Reply: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 May 2004 10:09:12 +0100
"John Brock" <jbrock@panix.com> wrote in message
news:c7dsoq$5u9$1@panix1.panix.com...
> In article <c7b546$1qgaa$1@ID-122774.news.uni-berlin.de>,
> David W.E. Roberts <nospam@talk21.com> wrote:
>
> >NAT by itself doesn't do much for you - because safety depends on who is
on
> >your side of the router.
> >
> >In a SOHO environment then NAT is pretty damn good - because you know all
> >the people behind the NAT router and you don't expect them to hack you
> >(although one PC with a worm behind your NAT router can gut all the other
> >local PCs). Safest is one PC behind a NAT router - nobody else to
compromise
> >you.
>
> At home I connect two PCs to the Internet through a Linksys BEFSX41,
> which has a built in "Stateful Packet Inspection firewall". In
> terms of security from external attacks what advantages (if any)
> does this have over a vanilla NAT router, like the BEFSR41? (Note
> that I am the only user of the two PCs).
>
> Also, if I were to turn off the BEFSX41 firewall would I still have
> the same level of protection that I would have with any NAT router?
AFAIK the SPI bit gives you additional protection against Denial of Service
[DoS] attacks designed to confuse your router by sending malformed packets
or packets with e.g. only the first half fragment of a two part packet.
These can cause the router to fill up the incoming buffers waiting for the
second half of the packet, and crash the router.
SPI looks at the incoming packets, and those queued in the router, and
decides if they are causing problems and need to be thrown away.
There are a variety of known attacks which can crash routers, and SPI
provides at least some protection against these.
So you have more protection than just NAT.
Having said that, DoS attacks require a significant amount of resource
(usually several machines acting in concert) and so are usually aimed at
high profile targets.
It is unlikely that a 'hacker' would launch a DoS attack at any (or every)
unprotected PC on an ISP.
The more likely attack on a 'vanilla' PC on an ISP is port scanning,
followed by an attempt to use one of the many well known exploits against
specific ports where they are found to be open.
This is easy to automate, and can be left running long term with a low
profile.
A bit like walking down a street full of cars and gently trying each door
handle until you find one that is unlocked. Or looking through each car
window until you see one with the keys in the ignition.
So NAT is the major protection but in a pretty dumb way - whatever the
question the answer is NO!
SPI gives you more protection and is a good thing, but people (IMHO) can
live without it.
Firewall capability allows you to modify the NAT behaviour to allow selected
incoming calls to selected destinations, which is good for online gamers,
and people running their own web and mail servers.
Full firewalls allow you to do all sorts of cool things but tend to cost
uncool amounts of money and require a higher spec. router.
HTH
Dave R
- Previous message: David W.E. Roberts: "Re: Would a firewall prevent Sasser worm?"
- In reply to: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Next in thread: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Reply: John Brock: "Re: Would a firewall prevent Sasser worm?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
