How did they get past my NAT? - Firewalls

This is a discussion on How did they get past my NAT? - Firewalls ; Leythos wrote: > In article , goarilla > DOT paulus AT skynet DOT be"> says... >> i do however outbound filter my SMB servers (2 x slackware mahcines) >> since i can't be certain 100 %. the question is: is ...

+ Reply to Thread
Page 3 of 4 FirstFirst 1 2 3 4 LastLast
Results 41 to 60 of 64

Thread: How did they get past my NAT?

  1. Re: How did they get past my NAT?

    Leythos wrote:
    > In article <4715f6e4$0$29264$ba620e4c@news.skynet.be>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    >> i do however outbound filter my SMB servers (2 x slackware mahcines)
    >> since i can't be certain 100 %. the question is: is this somehow correct
    >> and/or if not please elaborate i just want to learn and spread what i've
    >> learned
    >> in no way i mean to start flamewars or belittle people.

    >
    > Watch your logs, it will open your eyes as to what is leaving your
    > network.
    >

    what logs ?
    everything syslog records ?
    i'll guess i'll probably have to increase samba logging as well
    since atm smbd prints only start time of the process

  2. Re: How did they get past my NAT?

    On Oct 11, 11:31 am, Maniaque wrote:
    > On Oct 11, 6:31 am, Leythos wrote:
    >
    > > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.c om>,
    > > maniaqu...@gmail.com says...

    >
    > > A NAT is not a firewall at all, it's basic routing - Most non-technical
    > > types call NAT Routers firewalls, they are not.

    >
    > That I understand, but I'm always a little confused about what the
    > difference Exactly is... a firewall is a device that only allows
    > connections that you want to allow - a NAT is a device that allows
    > outgoing connections arbitrarily, but normally (or only sometimes? see
    > the STUN information Chris mentioned) prevents arbitrary incoming
    > connections. Most home routers additionally claim to have a "firewall"
    > function that you can turn on / off (including the WRT54G) - when do
    > you decide what is and what is not a ffirewall? I really would like to
    > know, it's something that's puzled me for years. Some things are
    > clearly not a firewall at all, like a "Full-cone" NAT router. Some
    > things are clearly a firewall first, and anything else after, like one
    > of those Cisco devices. But aren't most home routers somewhere in-
    > between?
    >
    >
    >
    > > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    > > inbound traffic, that's all.

    >
    > not true. the WRT54G can block outgoing connections based on any
    > number of specified parameters, and then it has all those extra fancy
    > features that I don't understand
    >
    > Firewall Protection: Enable Disable
    > Additional Filters
    > Filter Proxy Filter Cookies
    > Filter Java Applets Filter ActiveX
    > Block Portscans Filter P2P Applications
    > Block WAN Requests
    > Block Anonymous Internet Requests
    > Filter Multicast
    > Filter Internet NAT Redirection
    > Filter IDENT(Port 113)
    >
    >
    >
    > > No, port forwarding is what your problem is - if you forward ports then
    > > you expose your computer/network and that's how people reach your
    > > computer to do things you don't want.

    >
    > Only if they get past the intended security of the service in
    > question, right?
    >
    > > You should learn to post in one group or to cross post so that your
    > > thread is easy to work with for multiple groups that you've done this
    > > in.

    >
    > Yep, thanks.
    >
    > Tao


    A Firewall is packet and port filter. That's all. NAT routers have a
    similar effect of a firewall. It is possible you have something
    lurking in your computer that is advertising your computer on the
    internet. Something like a BotNet type program.


  3. Re: How did they get past my NAT?

    Leythos writes:

    >In article , unruh-spam@physics.ubc.ca
    >says...
    >> "Sebastian G." writes:
    >>
    >> >Unruh wrote:

    >>
    >>
    >> >> The question was not whether NAT was a firewall function but whether NAT
    >> >> with no port holes punched through was effectively a firewall allowing no
    >> >> unsolicited incoming traffic.
    >> >>
    >> >> Is there a way in which a NAT router, with no holes punched through, is
    >> >> more insecure than a firewall which rejects all unsolicited incoming
    >> >> traffic? If you claim it is more insecure, please tell us why.

    >>
    >> >It is, for three reasons:

    >>
    >> >1. If a connection is initiated from the inside, all related traffic from
    >> >the outside is forwarded. For a firewall you'd need to add such a rule
    >> >explicitly, and you could still overwrite it (e.g. generally denying access
    >> >to a certain port range for every incoming connection from the WAN).

    >>
    >> Not at all sure what you mean. I initiate a http connection. The response
    >> better get through both on a firewall and on a NAT.


    >Actually, it depends, when using a firewall, on the HTTP rule as to you
    >getting through or not.


    >In many cases you might allow HTTP from certain users or certain
    >internal IP or IP ranges and not allow HTTP from all other ranges - your
    >NAT Router can't do that, but a firewall can.


    Yes, agreed. But that is irrelevant. The question is not whether or not a
    firewall is more flexible than a NAT router, it is. The question is whether
    there is a difference in security against unsolicited outside attacks
    between a firewall which blocks all unsolicited outside connections, and a
    NAT router with no port holes punched through (Ie no ports forwarded).



  4. Re: How did they get past my NAT?

    On Oct 11, 11:31 am, Leythos wrote:
    > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.c om>,
    > maniaqu...@gmail.com says...
    >
    > > I would need to set up a
    > > second router/firewall/NAT device like a linksys wrt54G to sit behind
    > > the telecoms-operator-provided Xavi router, forward the appropriate
    > > ports through both devices, and make sure that the firewall is turned
    > > on on the wrt54g? I can only assume that what was "missing" in my
    > > original setup was a firewall (which my adsl router claims to have,
    > > but when I turn it on all the port forwarding stops working, which
    > > sort of defeats the purpose). Or do you have any other suggestions on
    > > how this can be done using home equipment?

    >
    > A NAT is not a firewall at all, it's basic routing




    Not it is not Routing. Routing can be done with or without NAT.

    A basic book like Computer Networking first step by Wendell Odom
    published by Cisco Press would explain Routing.

    Anyhow, saying that NAT is not a firewall does not explain how this
    happened.

    NAT Blocks incoming, unless port forwarding. He says he didn`t have
    port forwarding set up to port 5900, where his VNC server got the
    connection. Let`s assume that he checked afterwards to make sure the
    port was not forwarded.

    So, how did it happen?

    Aside from Sebastian G`s cryptic explanation, I don`t see you
    offerring an explanation.




  5. Re: How did they get past my NAT?

    jameshanley39@yahoo.co.uk wrote:

    > On Oct 11, 11:31 am, Leythos wrote:
    > > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.c om>,
    > > maniaqu...@gmail.com says...
    > >
    > > > I would need to set up a
    > > > second router/firewall/NAT device like a linksys wrt54G to sit
    > > > behind the telecoms-operator-provided Xavi router, forward the
    > > > appropriate ports through both devices, and make sure that the
    > > > firewall is turned on on the wrt54g? I can only assume that what
    > > > was "missing" in my original setup was a firewall (which my adsl
    > > > router claims to have, but when I turn it on all the port
    > > > forwarding stops working, which sort of defeats the purpose). Or
    > > > do you have any other suggestions on how this can be done using
    > > > home equipment?

    > >
    > > A NAT is not a firewall at all, it's basic routing

    >
    >
    >
    > Not it is not Routing. Routing can be done with or without NAT.
    >
    > A basic book like Computer Networking first step by Wendell Odom
    > published by Cisco Press would explain Routing.
    >
    > Anyhow, saying that NAT is not a firewall does not explain how this
    > happened.
    >
    > NAT Blocks incoming, unless port forwarding. He says he didn`t have
    > port forwarding set up to port 5900, where his VNC server got the
    > connection. Let`s assume that he checked afterwards to make sure the
    > port was not forwarded.
    >
    > So, how did it happen?
    >
    > Aside from Sebastian G`s cryptic explanation, I don`t see you
    > offerring an explanation.


    You are actually one among many that suggests NAT for security ,
    perhaps rightly so, but this should then concern you.

    I see Sebastian G has elaborated in further posts.

    --


  6. Re: How did they get past my NAT?

    Leythos writes:

    >In article , unruh-spam@physics.ubc.ca
    >says...
    >>
    >> Yes, agreed. But that is irrelevant. The question is not whether or not a
    >> firewall is more flexible than a NAT router, it is. The question is whether
    >> there is a difference in security against unsolicited outside attacks
    >> between a firewall which blocks all unsolicited outside connections, and a
    >> NAT router with no port holes punched through (Ie no ports forwarded).


    >Yes, there is a difference.


    >All quality firewalls have certifications from independent authorities
    >that will state how they work and that they are actually providing xyz.


    >NAT Routers have no certification (at least in the class we're talking
    >about) and have been shown, many times, to have exploits that allow
    >Unsolicited inbound traffic to pass through - even with no rules set by
    >the owner.


    So, your argument is that nat routers are more often incompetent than
    firewalls are. If true, a reasonable argument. Actually you say, "have been
    shown"-- by whom?

    Mind you you stated at the top that you were only concerned with quality
    firewalls. Does that mean if I say "quality NAT routers" you would agree
    that the two are equivalent?


  7. Re: How did they get past my NAT?

    jameshanley39@yahoo.co.uk wrote:
    > NAT Blocks incoming, unless port forwarding.


    Usually, that's not true. You may want to think about what's called "NAT
    helpers".

    Usually, it's not a problem to get through a NAT implementation. Skype,
    for example, does this as default.

    Yours,
    VB.
    --
    "Die Funktionsprinzipien des Rechtsstaates sind den Funktionsprinzipien
    des Präventionsstaates entgegengesetzt."
    Erhard Denninger
    Professor für Öffentliches Recht und Rechtsphilosophie, Uni Frankfurt

  8. Re: How did they get past my NAT?

    On Oct 18, 2:53 pm, Leythos wrote:
    > In article <1192735170.708582.241...@q5g2000prf.googlegroups.c om>,
    > jameshanle...@yahoo.co.uk says...
    >
    > > NAT Blocks incoming, unless port forwarding. He says he didn`t have
    > > port forwarding set up to port 5900, where his VNC server got the
    > > connection. Let`s assume that he checked afterwards to make sure the
    > > port was not forwarded.

    >
    > > So, how did it happen?

    >
    > He did have port forwarding enabled, not 5900, but he was hosting
    > services.
    >
    > So, any number of things could have exposed his network and then the
    > hacker could use anything they wanted. Simple, really, exploit a hole in
    > service X, add your own app or use one installed, get access to other
    > things.
    >


    And just as this flamewar dies out, I'd like to pitch in again. I
    cannot be absolutely certain what caused the issue as I had little
    logging enabled, but as I have previously stated, I'm pretty confident
    that this issue was due to a "Active FTP NAT Helper", as originally
    suggested by Sebastian G and illustrated with Micheal Ziegler's help.
    As a result of this issue I upgraded my home router to the latest
    Tomato firmware (1.11), in which the author has kindly added an option
    to disable the NAT helper.

    The test page I linked somewhere above for the NAT Helper
    "vulnerability" now happily shows that nothing gets through, with
    status "500 Go away (PORT IP mismatch).".

    Leythos, if exploiting a hole in any service X is as simple as you
    seem to think (without you knowing anything about the services
    involved), it's truly amazing to me that the internet still more or
    less works

    Thanks,
    Tao


  9. Re: How did they get past my NAT?

    On 18 Oct, 19:14, Leythos wrote:
    > In article , unruh-s...@physics.ubc.ca
    > says...
    >
    >
    >
    > > Yes, agreed. But that is irrelevant. The question is not whether or not a
    > > firewall is more flexible than a NAT router, it is. The question is whether
    > > there is a difference in security against unsolicited outside attacks
    > > between a firewall which blocks all unsolicited outside connections, and a
    > > NAT router with no port holes punched through (Ie no ports forwarded).

    >
    > Yes, there is a difference.
    >
    > All quality firewalls have certifications from independent authorities
    > that will state how they work and that they are actually providing xyz.
    >
    > NAT Routers have no certification (at least in the class we're talking
    > about) and have been shown, many times, to have exploits that allow
    > Unsolicited inbound traffic to pass through - even with no rules set by
    > the owner.
    >


    Where has it been shown many times?

    ( Not shown [many times] in this newsgroup. I first heard of any such
    issue from a few months ago perhaps, from Sebastian, on this
    newsgroup, and since by Volker. In a thread where you were advocating
    NAT for - I thought - blocking incoming )




  10. Re: How did they get past my NAT?

    In article <1194544020.150180.306890@v23g2000prn.googlegroups. com>,
    jameshanley39@yahoo.co.uk says...
    > On 18 Oct, 19:14, Leythos wrote:
    > > In article , unruh-s...@physics.ubc.ca
    > > says...
    > >
    > >
    > >
    > > > Yes, agreed. But that is irrelevant. The question is not whether or not a
    > > > firewall is more flexible than a NAT router, it is. The question is whether
    > > > there is a difference in security against unsolicited outside attacks
    > > > between a firewall which blocks all unsolicited outside connections, and a
    > > > NAT router with no port holes punched through (Ie no ports forwarded).

    > >
    > > Yes, there is a difference.
    > >
    > > All quality firewalls have certifications from independent authorities
    > > that will state how they work and that they are actually providing xyz.
    > >
    > > NAT Routers have no certification (at least in the class we're talking
    > > about) and have been shown, many times, to have exploits that allow
    > > Unsolicited inbound traffic to pass through - even with no rules set by
    > > the owner.
    > >

    >
    > Where has it been shown many times?
    >
    > ( Not shown [many times] in this newsgroup. I first heard of any such
    > issue from a few months ago perhaps, from Sebastian, on this
    > newsgroup, and since by Volker. In a thread where you were advocating
    > NAT for - I thought - blocking incoming )


    Try google for reference materials.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  11. Re: How did they get past my NAT?

    On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
    > Leythos writes:
    > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla <"kevin
    > > DOT paulus AT skynet DOT be"> says...
    > > > Leythos wrote:
    > > > > In article <1192120303.414117.236...@g4g2000hsf.googlegroups.c om>,
    > > > > maniaqu...@gmail.com says...
    > > > >> not true. the WRT54G can block outgoing connections based on any
    > > > >> number of specified parameters, and then it has all those extra fancy
    > > > >> features that I don't understand

    >
    > > > > it's a NAT device that can block outbound ports - it has no clue what
    > > > > those ports are and doesn't know the difference between HTTP and SMTP
    > > > > except that they use different ports.

    >
    > > > just some questions with as goal to learn more

    >
    > > > so you call a firewall something with complex heuristics ?
    > > > really does iptables provide more than filtering between protocol, port
    > > > and state information, and do people actually use it. Because in essence
    > > > iirc
    > > > a nat router does the same it opens up a connection if somebody on the
    > > > inside requests it
    > > > and after that allows the connection untill it's broken down (FIN or RST)
    > > > do i have a point here or not ?

    >
    > > Does the device, in the standard/default mode, block traffic in both
    > > directions?

    >
    > A cat5 cable cut in half does. Is it a firewall?
    >
    > > Does the device know the difference between HTTP and SMTP or only
    > > TCP 80 and TCP 25?

    >
    > Firewalls in the traditional definition never did, were they not
    > firewalls? Application-level protocol recognition is only recently on
    > the scene, yet we've had things people called "firewalls" existing for
    > quite a while before that. I'd hate to think I didn't get the memo
    > about someone changing the definition of "firewall" with the
    > International Standards Organization.
    >
    > > Does the device understand being attacked and auto-block sources of
    > > attacks or unauthorized traffic?

    >
    > So when did the definition of "firewall" start requiring it to also
    > fit the definition of "network intrusion prevention device" or
    > "network intrusion detection device?"
    >
    > Just curious.
    >
    > > Does the device use NAT or can it be setup with rules without using NAT?
    > > If it forces NAT then I don't consider it a firewall unless it can do
    > > all the others - since MOST of the devices that force NAT are
    > > residential device (yea, not all inclusive, but you should get the idea
    > > without us going off the deep end).

    >
    > Ah, okay here's where we come down to brass tacks--with the use of the
    > word "I."
    >
    > Seme folks seem to have their own definition of a firewall that
    > doesn't match that accepted by over the course of a lot of networking
    > history inlcluding the present. This view categorically rejects those
    > devices which don't fit a personally crafted unique definition of
    > "firewalls."
    >
    > Unfortunately, it's pedantic and pointless. But then again, so it
    > much of the banter by the more abusive posters here. To protect their
    > identity, we won't mention Leythos and Sebastian by name.
    >
    > Now, that's not to say there isn't something to learn about the range
    > of functionality one might want to consider in their border protection
    > in the narrow definition such folks try to paint, but being so prickly
    > about what to call a "firewall" and what to call a "NAT router" is
    > just a freakin waste of time. Better to say "corporate grade border
    > security appliance" which has built into the obvious fact that
    > functionality and features of corporate grade hardware exceed that of
    > $70 Linksys gear popular among home and small office users.
    >
    > And let's not forget that there was a time not very long ago where the
    > fucntionality packed into your garden variety wrt54g (particularly one
    > packing the fucntionality of third party firmware) took a HELL of alot
    > of much more expensive hardware and was certainly considered a
    > "firewall." And still is for that matter.
    >
    > Those with what I'll call this "modern purist" view may be shocked to
    > see the breadth of defintions for our friend the firewall that are in
    > existence that cast a much bigger net than his own:
    > http://www.google.com/search?q=define%3Afirewall
    >
    > We now return you to your regularly scheduled semantic argument.
    >
    > Best Regards,
    > --
    > Todd H.http://www.toddh.net/-


    unfortunately, those that make a point like the one you make , are
    less vocal.


    you mention
    "
    I'd hate to think I didn't get the memo about someone changing the
    definition of "firewall" with the International Standards Organization
    "

    what is the ISO definition of firewall ? I couldn`t find it

    can you name some of the firewalls you used in the past, that didn`t
    do much more than the "traditional definition". And can you define the
    traditional definition ?


    What I would GUESS, is that a firewall is a packet filter and a packet
    filter is a firewall. Same thing. Can be Device(network firewall) or
    Software.

    a packet filter controls a network by selectively allowing or blocking
    packets.

    packet filter is always Layer 3 (stateless/static packet filter)
    and can be both Layers 3 and 4. (stateful / dynamic paclet filter )

    (definition based on webopedia and the one given in the docs for the
    openbsd pf program)

    It rules out the broken cable you mentioned ;-)



  12. Re: How did they get past my NAT?

    On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
    wrote:
    > On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
    >
    >
    >
    >
    >
    > > Leythos writes:
    > > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla <"kevin
    > > > DOT paulus AT skynet DOT be"> says...
    > > > > Leythos wrote:
    > > > > > In article <1192120303.414117.236...@g4g2000hsf.googlegroups.c om>,
    > > > > > maniaqu...@gmail.com says...
    > > > > >> not true. the WRT54G can block outgoing connections based on any
    > > > > >> number of specified parameters, and then it has all those extra fancy
    > > > > >> features that I don't understand

    >
    > > > > > it's a NAT device that can block outbound ports - it has no clue what
    > > > > > those ports are and doesn't know the difference between HTTP and SMTP
    > > > > > except that they use different ports.

    >
    > > > > just some questions with as goal to learn more

    >
    > > > > so you call a firewall something with complex heuristics ?
    > > > > really does iptables provide more than filtering between protocol, port
    > > > > and state information, and do people actually use it. Because in essence
    > > > > iirc
    > > > > a nat router does the same it opens up a connection if somebody on the
    > > > > inside requests it
    > > > > and after that allows the connection untill it's broken down (FIN or RST)
    > > > > do i have a point here or not ?

    >
    > > > Does the device, in the standard/default mode, block traffic in both
    > > > directions?

    >
    > > A cat5 cable cut in half does. Is it a firewall?

    >
    > > > Does the device know the difference between HTTP and SMTP or only
    > > > TCP 80 and TCP 25?

    >
    > > Firewalls in the traditional definition never did, were they not
    > > firewalls? Application-level protocol recognition is only recently on
    > > the scene, yet we've had things people called "firewalls" existing for
    > > quite a while before that. I'd hate to think I didn't get the memo
    > > about someone changing the definition of "firewall" with the
    > > International Standards Organization.

    >
    > > > Does the device understand being attacked and auto-block sources of
    > > > attacks or unauthorized traffic?

    >
    > > So when did the definition of "firewall" start requiring it to also
    > > fit the definition of "network intrusion prevention device" or
    > > "network intrusion detection device?"

    >
    > > Just curious.

    >
    > > > Does the device use NAT or can it be setup with rules without using NAT?
    > > > If it forces NAT then I don't consider it a firewall unless it can do
    > > > all the others - since MOST of the devices that force NAT are
    > > > residential device (yea, not all inclusive, but you should get the idea
    > > > without us going off the deep end).

    >
    > > Ah, okay here's where we come down to brass tacks--with the use of the
    > > word "I."

    >
    > > Seme folks seem to have their own definition of a firewall that
    > > doesn't match that accepted by over the course of a lot of networking
    > > history inlcluding the present. This view categorically rejects those
    > > devices which don't fit a personally crafted unique definition of
    > > "firewalls."

    >
    > > Unfortunately, it's pedantic and pointless. But then again, so it
    > > much of the banter by the more abusive posters here. To protect their
    > > identity, we won't mention Leythos and Sebastian by name.

    >
    > > Now, that's not to say there isn't something to learn about the range
    > > of functionality one might want to consider in their border protection
    > > in the narrow definition such folks try to paint, but being so prickly
    > > about what to call a "firewall" and what to call a "NAT router" is
    > > just a freakin waste of time. Better to say "corporate grade border
    > > security appliance" which has built into the obvious fact that
    > > functionality and features of corporate grade hardware exceed that of
    > > $70 Linksys gear popular among home and small office users.

    >
    > > And let's not forget that there was a time not very long ago where the
    > > fucntionality packed into your garden variety wrt54g (particularly one
    > > packing the fucntionality of third party firmware) took a HELL of alot
    > > of much more expensive hardware and was certainly considered a
    > > "firewall." And still is for that matter.

    >
    > > Those with what I'll call this "modern purist" view may be shocked to
    > > see the breadth of defintions for our friend the firewall that are in
    > > existence that cast a much bigger net than his own:
    > > http://www.google.com/search?q=define%3Afirewall

    >
    > > We now return you to your regularly scheduled semantic argument.

    >
    > > Best Regards,
    > > --
    > > Todd H.http://www.toddh.net/-

    >
    > unfortunately, those that make a point like the one you make , are
    > less vocal.
    >
    > you mention
    > "
    > I'd hate to think I didn't get the memo about someone changing the
    > definition of "firewall" with the International Standards Organization
    > "
    >
    > what is the ISO definition of firewall ? I couldn`t find it
    >
    > can you name some of the firewalls you used in the past, that didn`t
    > do much more than the "traditional definition". And can you define the
    > traditional definition ?
    >
    > What I would GUESS, is that a firewall is a packet filter and a packet
    > filter is a firewall. Same thing. Can be Device(network firewall) or
    > Software.
    >
    > a packet filter controls a network by selectively allowing or blocking
    > packets.
    >
    > packet filter is always Layer 3 (stateless/static packet filter)
    > and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
    >
    > (definition based on webopedia and the one given in the docs for the
    > openbsd pf program)
    >
    > It rules out the broken cable you mentioned ;-)-


    rules out NAT Router too. which is probably good.

    http://en.wikipedia.org/wiki/Firewall_(networking)
    differs with webopedia, it calls "packet filter" only the first
    generation of firewall. at the network layer of the OSI model. (though
    if it accesses tcp port , that is something at Layer 4 too).
    So, by that definition, SPI != packet filter.

    That page does talk of a firewall as sitting between 2 networks.
    perhaps, as oppose to an individual computer from a network.

    It does not mention about if a concept may be flawed.. like running a
    software firewall on a non dedicated machine.




  13. Re: How did they get past my NAT?


    wrote in message
    news:d7665587-94fc-4017-b589-7a15af6c3623@l22g2000hsc.googlegroups.com...
    > On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
    > wrote:
    >> On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
    >>
    >>
    >>
    >>
    >>
    >> > Leythos writes:
    >> > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla
    >> > > <"kevin
    >> > > DOT paulus AT skynet DOT be"> says...
    >> > > > Leythos wrote:
    >> > > > > In article
    >> > > > > <1192120303.414117.236...@g4g2000hsf.googlegroups.c om>,
    >> > > > > maniaqu...@gmail.com says...
    >> > > > >> not true. the WRT54G can block outgoing connections based on
    >> > > > >> any
    >> > > > >> number of specified parameters, and then it has all those extra
    >> > > > >> fancy
    >> > > > >> features that I don't understand

    >>
    >> > > > > it's a NAT device that can block outbound ports - it has no clue
    >> > > > > what
    >> > > > > those ports are and doesn't know the difference between HTTP and
    >> > > > > SMTP
    >> > > > > except that they use different ports.

    >>
    >> > > > just some questions with as goal to learn more

    >>
    >> > > > so you call a firewall something with complex heuristics ?
    >> > > > really does iptables provide more than filtering between protocol,
    >> > > > port
    >> > > > and state information, and do people actually use it. Because in
    >> > > > essence
    >> > > > iirc
    >> > > > a nat router does the same it opens up a connection if somebody on
    >> > > > the
    >> > > > inside requests it
    >> > > > and after that allows the connection untill it's broken down (FIN
    >> > > > or RST)
    >> > > > do i have a point here or not ?

    >>
    >> > > Does the device, in the standard/default mode, block traffic in both
    >> > > directions?

    >>
    >> > A cat5 cable cut in half does. Is it a firewall?

    >>
    >> > > Does the device know the difference between HTTP and SMTP or only
    >> > > TCP 80 and TCP 25?

    >>
    >> > Firewalls in the traditional definition never did, were they not
    >> > firewalls? Application-level protocol recognition is only recently on
    >> > the scene, yet we've had things people called "firewalls" existing for
    >> > quite a while before that. I'd hate to think I didn't get the memo
    >> > about someone changing the definition of "firewall" with the
    >> > International Standards Organization.

    >>
    >> > > Does the device understand being attacked and auto-block sources of
    >> > > attacks or unauthorized traffic?

    >>
    >> > So when did the definition of "firewall" start requiring it to also
    >> > fit the definition of "network intrusion prevention device" or
    >> > "network intrusion detection device?"

    >>
    >> > Just curious.

    >>
    >> > > Does the device use NAT or can it be setup with rules without using
    >> > > NAT?
    >> > > If it forces NAT then I don't consider it a firewall unless it can do
    >> > > all the others - since MOST of the devices that force NAT are
    >> > > residential device (yea, not all inclusive, but you should get the
    >> > > idea
    >> > > without us going off the deep end).

    >>
    >> > Ah, okay here's where we come down to brass tacks--with the use of the
    >> > word "I."

    >>
    >> > Seme folks seem to have their own definition of a firewall that
    >> > doesn't match that accepted by over the course of a lot of networking
    >> > history inlcluding the present. This view categorically rejects those
    >> > devices which don't fit a personally crafted unique definition of
    >> > "firewalls."

    >>
    >> > Unfortunately, it's pedantic and pointless. But then again, so it
    >> > much of the banter by the more abusive posters here. To protect their
    >> > identity, we won't mention Leythos and Sebastian by name.

    >>
    >> > Now, that's not to say there isn't something to learn about the range
    >> > of functionality one might want to consider in their border protection
    >> > in the narrow definition such folks try to paint, but being so prickly
    >> > about what to call a "firewall" and what to call a "NAT router" is
    >> > just a freakin waste of time. Better to say "corporate grade border
    >> > security appliance" which has built into the obvious fact that
    >> > functionality and features of corporate grade hardware exceed that of
    >> > $70 Linksys gear popular among home and small office users.

    >>
    >> > And let's not forget that there was a time not very long ago where the
    >> > fucntionality packed into your garden variety wrt54g (particularly one
    >> > packing the fucntionality of third party firmware) took a HELL of alot
    >> > of much more expensive hardware and was certainly considered a
    >> > "firewall." And still is for that matter.

    >>
    >> > Those with what I'll call this "modern purist" view may be shocked to
    >> > see the breadth of defintions for our friend the firewall that are in
    >> > existence that cast a much bigger net than his own:
    >> > http://www.google.com/search?q=define%3Afirewall

    >>
    >> > We now return you to your regularly scheduled semantic argument.

    >>
    >> > Best Regards,
    >> > --
    >> > Todd H.http://www.toddh.net/-

    >>
    >> unfortunately, those that make a point like the one you make , are
    >> less vocal.
    >>
    >> you mention
    >> "
    >> I'd hate to think I didn't get the memo about someone changing the
    >> definition of "firewall" with the International Standards Organization
    >> "
    >>
    >> what is the ISO definition of firewall ? I couldn`t find it
    >>
    >> can you name some of the firewalls you used in the past, that didn`t
    >> do much more than the "traditional definition". And can you define the
    >> traditional definition ?
    >>
    >> What I would GUESS, is that a firewall is a packet filter and a packet
    >> filter is a firewall. Same thing. Can be Device(network firewall) or
    >> Software.
    >>
    >> a packet filter controls a network by selectively allowing or blocking
    >> packets.
    >>
    >> packet filter is always Layer 3 (stateless/static packet filter)
    >> and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
    >>
    >> (definition based on webopedia and the one given in the docs for the
    >> openbsd pf program)
    >>
    >> It rules out the broken cable you mentioned ;-)-

    >
    > rules out NAT Router too. which is probably good.
    >
    > http://en.wikipedia.org/wiki/Firewall_(networking)
    > differs with webopedia, it calls "packet filter" only the first
    > generation of firewall. at the network layer of the OSI model. (though
    > if it accesses tcp port , that is something at Layer 4 too).
    > So, by that definition, SPI != packet filter.
    >
    > That page does talk of a firewall as sitting between 2 networks.
    > perhaps, as oppose to an individual computer from a network.
    >


    To keep it simplistic for you, the Internet is a massive/giant network the
    Wide Area Network being protected from by the firewall. The network being
    protected by the FW is the Local Area Network.

    > It does not mention about if a concept may be flawed.. like running a
    > software firewall on a non dedicated machine.



    Your concept of a FW is flawed. A FW must separate two networks. The network
    it is protecting from, and the network it is protecting. A FW must have at
    least two network interfaces. One interface must face the WAN, and the other
    interface must face the LAN. In the case of a software FW running on a
    secured host computer, the computer must have two NIC(s) with one facing the
    WAN and the other one facing the LAN.

    If a software solution is not using two NIC(s), it's not a FW, but rather,
    it's a machine level packet filter protecting at the machine level.


  14. Re: How did they get past my NAT?

    Maniaque writes:

    >On Oct 18, 2:53 pm, Leythos wrote:
    >> In article <1192735170.708582.241...@q5g2000prf.googlegroups.c om>,
    >> jameshanle...@yahoo.co.uk says...
    >>
    >> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
    >> > port forwarding set up to port 5900, where his VNC server got the
    >> > connection. Let`s assume that he checked afterwards to make sure the
    >> > port was not forwarded.

    >>
    >> > So, how did it happen?

    >>
    >> He did have port forwarding enabled, not 5900, but he was hosting
    >> services.
    >>
    >> So, any number of things could have exposed his network and then the
    >> hacker could use anything they wanted. Simple, really, exploit a hole in
    >> service X, add your own app or use one installed, get access to other
    >> things.
    >>


    >And just as this flamewar dies out, I'd like to pitch in again. I
    >cannot be absolutely certain what caused the issue as I had little
    >logging enabled, but as I have previously stated, I'm pretty confident
    >that this issue was due to a "Active FTP NAT Helper", as originally
    >suggested by Sebastian G and illustrated with Micheal Ziegler's help.
    >As a result of this issue I upgraded my home router to the latest
    >Tomato firmware (1.11), in which the author has kindly added an option
    >to disable the NAT helper.


    >The test page I linked somewhere above for the NAT Helper
    >"vulnerability" now happily shows that nothing gets through, with
    >status "500 Go away (PORT IP mismatch).".


    >Leythos, if exploiting a hole in any service X is as simple as you
    >seem to think (without you knowing anything about the services
    >involved), it's truly amazing to me that the internet still more or
    >less works


    If service X has a hole, then service X can be exploited. Clearly the
    attacker knows which services to try since those are the ports you have
    open. And exploiting service X means they have entry to your machine. And
    if they have entry to your machine, then they can do what they want.
    Why exactly do you say that the internet works? There are probably millions
    of machines out there that are owned by outsiders- ie on which outsiders
    can do what they want. They primarily use them for launching phishing and
    spam attacks on the world. Your definition of "works" needs upgrading.


    >Thanks,
    >Tao



  15. Re: How did they get past my NAT?

    "jameshanley39@yahoo.co.uk" writes:

    >On 18 Oct, 19:14, Leythos wrote:
    >> In article , unruh-s...@physics.ubc.ca
    >> says...
    >>
    >>
    >>
    >> > Yes, agreed. But that is irrelevant. The question is not whether or not a
    >> > firewall is more flexible than a NAT router, it is. The question is whether
    >> > there is a difference in security against unsolicited outside attacks
    >> > between a firewall which blocks all unsolicited outside connections, and a
    >> > NAT router with no port holes punched through (Ie no ports forwarded).

    >>
    >> Yes, there is a difference.
    >>
    >> All quality firewalls have certifications from independent authorities
    >> that will state how they work and that they are actually providing xyz.


    I am sorry, but you regard paper as a valid computer defense. Who cares if
    they have a piece of paper attached? The question is not who has the paper
    trail, but who has the security.

    >>
    >> NAT Routers have no certification (at least in the class we're talking
    >> about) and have been shown, many times, to have exploits that allow
    >> Unsolicited inbound traffic to pass through - even with no rules set by
    >> the owner.


    As have firewalls as times.


    >>


    >Where has it been shown many times?


    >( Not shown [many times] in this newsgroup. I first heard of any such
    >issue from a few months ago perhaps, from Sebastian, on this
    >newsgroup, and since by Volker. In a thread where you were advocating
    >NAT for - I thought - blocking incoming )





  16. Re: How did they get past my NAT?

    On Nov 18, 7:17 pm, "Mr. Arnold" wrote:
    > wrote in message


    >
    > > That page does talk of a firewall as sitting between 2 networks.
    > > perhaps, as oppose to an individual computer from a network.

    >
    > To keep it simplistic for you, the Internet is a massive/giant network the
    > Wide Area Network being protected from by the firewall. The network being
    > protected by the FW is the Local Area Network.
    >


    What is the complicated way then?

    note- a firewall blocking certain outgoing can help protect other
    people on the internet from a compromised machine. Leythos is keen on
    blocking certain outgoing so he`d probably know of some examples.


    > > It does not mention about if a concept may be flawed.. like running a
    > > software firewall on a non dedicated machine.

    >
    > Your concept of a FW is flawed. A FW must separate two networks. The network
    > it is protecting from, and the network it is protecting. A FW must have at
    > least two network interfaces. One interface must face the WAN, and the other
    > interface must face the LAN. In the case of a software FW running on a
    > secured host computer, the computer must have two NIC(s) with one facing the
    > WAN and the other one facing the LAN.
    >
    > If a software solution is not using two NIC(s), it's not a FW, but rather,
    > it's a machine level packet filter protecting at the machine level.-


    makes sense, thanks.



  17. Re: How did they get past my NAT?


    wrote in message
    news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
    > On Nov 18, 7:17 pm, "Mr. Arnold" wrote:
    >> wrote in message

    >
    >>
    >> > That page does talk of a firewall as sitting between 2 networks.
    >> > perhaps, as oppose to an individual computer from a network.

    >>
    >> To keep it simplistic for you, the Internet is a massive/giant network
    >> the
    >> Wide Area Network being protected from by the firewall. The network being
    >> protected by the FW is the Local Area Network.
    >>

    >
    > What is the complicated way then?



    >
    > note- a firewall blocking certain outgoing can help protect other
    > people on the internet from a compromised machine. Leythos is keen on
    > blocking certain outgoing so he`d probably know of some examples.


    The proper thing would be to block all outbound traffic, and only allow
    outbound traffic for those applications or services that need outbound
    traffic. That would mostly apply to a solution such as a FW appliance,
    packet filtering FW router or a software FW running on a secured gateway
    computer that could implement the solution poperly by creating packet
    filtering rules.


    >
    >
    >> > It does not mention about if a concept may be flawed.. like running a
    >> > software firewall on a non dedicated machine.

    >>
    >> Your concept of a FW is flawed. A FW must separate two networks. The
    >> network
    >> it is protecting from, and the network it is protecting. A FW must have
    >> at
    >> least two network interfaces. One interface must face the WAN, and the
    >> other
    >> interface must face the LAN. In the case of a software FW running on a
    >> secured host computer, the computer must have two NIC(s) with one facing
    >> the
    >> WAN and the other one facing the LAN.
    >>
    >> If a software solution is not using two NIC(s), it's not a FW, but
    >> rather,
    >> it's a machine level packet filter protecting at the machine level.-

    >
    > makes sense, thanks.


    When segmenting networks, a FW limits the damage that can be spread from one
    network to another network, like a firedoor or firewall.

    >
    >



  18. Re: How did they get past my NAT?

    On Nov 18, 11:54 pm, Leythos wrote:
    > In article > @w73g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
    >
    > > Leythos is keen on
    > > blocking certain outgoing so he`d probably know of some examples.

    >
    > SMTP, SQL Command, Windows File Sharing, IM......
    >
    > I don't allow outbound SMTP from workstations ever.
    >
    > I don't allow outbound SQL Command from anything, ever.
    >
    > Windows File Sharing, DNS, etc... never from the local workstations..
    >
    > IM - only from approved workstations....
    >
    > While DNS is not a easy exploit the others permit LAN machines to spread
    > malware to people on the net with exposed machines.
    >



    if you block SMTP. Can users only send email via Yahoo like websites?
    I guess you don`t block some SMTP and not others, since how would you
    distinguish between good and bad. They could(knowingly or not) be bad
    and use your SMTP server You`d have to block all.. Do you have
    no SMTP server ?

    I know one company that has an SMTP server and does not allow Yahoo.
    That way they can more easily see all the email that goes in and out.



  19. Re: How did they get past my NAT?

    On Nov 19, 2:42 am, "Mr. Arnold" wrote:
    > wrote in message
    >
    > news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
    >
    >
    >
    >
    >
    > > On Nov 18, 7:17 pm, "Mr. Arnold" wrote:
    > >> wrote in message

    > >

    >
    > >> > That page does talk of a firewall as sitting between 2 networks.
    > >> > perhaps, as oppose to an individual computer from a network.

    >
    > >> To keep it simplistic for you, the Internet is a massive/giant network
    > >> the
    > >> Wide Area Network being protected from by the firewall. The network being
    > >> protected by the FW is the Local Area Network.

    >
    > > What is the complicated way then?

    >
    > > note- a firewall blocking certain outgoing can help protect other
    > > people on the internet from a compromised machine. Leythos is keen on
    > > blocking certain outgoing so he`d probably know of some examples.

    >
    > The proper thing would be to block all outbound traffic, and only allow
    > outbound traffic for


    well, if you are a techie user on the network of [mostly] idiot users,
    then you may not appreciate that.


    > those applications or services that need outbound
    > traffic. That would mostly apply to a solution such as a FW appliance,
    > packet filtering FW router or a software FW running on a secured gateway
    > computer that could implement the solution poperly by creating packet
    > filtering rules.
    >


    I wouldn`t say "properly"..

    With a network firewall, you cannot see directly, which application
    sent the packet or established a connection. But you can block packets
    based on criteria that that application may use. like tcp port and app
    layer protocol. .It is not literally blocking application blah
    though. The techie world does [or have produced software or
    techniques to] evade this sort of thing and get through the firewall.

    With a software firewall on each machine - an example you did not
    mention for obvious reasons - one app could pretend to be another.
    That firewallleaktest site prob has examples. But at least with that
    you can identify what application sent the packet, if it is not being
    evasive or malicious.
    And as far as I know, the regular techie world has not come up with a
    way to evade that one! I see malware doing it all the time. But
    techies are not running commands to let one application pretend to be
    another.. I guess it is because the need has not arisen. Companies do
    not - and with good reason - run a PFW on each machine! I don`t know
    if a techie software firewall like perhaps winipfw, or, I don`t know
    if it is a software firewall, but this ipsec thing you mention
    sometimes (is it a fw?), can see the application that sent the packet.





  20. Re: How did they get past my NAT?

    On 19 Nov, 10:23, Leythos wrote:
    > In article <533b5129-d008-4dd3-ac15-33ab1c6c5c11
    > @v4g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
    >
    >
    >
    > > On Nov 18, 11:54 pm, Leythos wrote:
    > > > In article > > > @w73g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...

    >
    > > > > Leythos is keen on
    > > > > blocking certain outgoing so he`d probably know of some examples.

    >
    > > > SMTP, SQL Command, Windows File Sharing, IM......

    >
    > > > I don't allow outbound SMTP from workstations ever.

    >
    > > > I don't allow outbound SQL Command from anything, ever.

    >
    > > > Windows File Sharing, DNS, etc... never from the local workstations..

    >
    > > > IM - only from approved workstations....

    >
    > > > While DNS is not a easy exploit the others permit LAN machines to spread
    > > > malware to people on the net with exposed machines.

    >
    > > if you block SMTP. Can users only send email via Yahoo like websites?
    > > I guess you don`t block some SMTP and not others, since how would you
    > > distinguish between good and bad. They could(knowingly or not) be bad
    > > and use your SMTP server You`d have to block all.. Do you have
    > > no SMTP server ?

    >
    > Yahoo? Who uses Yahoo?
    >
    > If you don't have your own email server in your network then you can
    > limit your SMTP outbound to just the IP of your ISP's SMTP server - this
    > will cause most SMTP bots to be limited to just the SMTP service of your
    > ISP and they will contact you shortly after you are compromised.
    >
    > And yes, we block all SMTP Outbound from Workstations/Devices, Except
    > for our own SMTP server - if you're not using our SMTP server then
    > you're not using SMTP.


    the SMTP server that malicious programs are most likely to access
    when on your network, is your SMTP server. Since most SMTP servers are
    not "open relays".



+ Reply to Thread
Page 3 of 4 FirstFirst 1 2 3 4 LastLast