How did they get past my NAT? - Firewalls

This is a discussion on How did they get past my NAT? - Firewalls ; wrote in message news:c74699fe-6733-4a46-8353-284d587ce521@a28g2000hsc.googlegroups.com... > On Nov 19, 2:42 am, "Mr. Arnold" wrote: >> wrote in message >> >> news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com... >> >> >> >> >> >> > On Nov 18, 7:17 pm, "Mr. Arnold" wrote: >> >> wrote in message ...

+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4
Results 61 to 64 of 64

Thread: How did they get past my NAT?

  1. Re: How did they get past my NAT?


    wrote in message
    news:c74699fe-6733-4a46-8353-284d587ce521@a28g2000hsc.googlegroups.com...
    > On Nov 19, 2:42 am, "Mr. Arnold" wrote:
    >> wrote in message
    >>
    >> news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
    >>
    >>
    >>
    >>
    >>
    >> > On Nov 18, 7:17 pm, "Mr. Arnold" wrote:
    >> >> wrote in message
    >> >

    >>
    >> >> > That page does talk of a firewall as sitting between 2 networks.
    >> >> > perhaps, as oppose to an individual computer from a network.

    >>
    >> >> To keep it simplistic for you, the Internet is a massive/giant network
    >> >> the
    >> >> Wide Area Network being protected from by the firewall. The network
    >> >> being
    >> >> protected by the FW is the Local Area Network.

    >>
    >> > What is the complicated way then?

    >>
    >> > note- a firewall blocking certain outgoing can help protect other
    >> > people on the internet from a compromised machine. Leythos is keen on
    >> > blocking certain outgoing so he`d probably know of some examples.

    >>
    >> The proper thing would be to block all outbound traffic, and only allow
    >> outbound traffic for

    >
    > well, if you are a techie user on the network of [mostly] idiot users,
    > then you may not appreciate that.
    >
    >
    >> those applications or services that need outbound
    >> traffic. That would mostly apply to a solution such as a FW appliance,
    >> packet filtering FW router or a software FW running on a secured gateway
    >> computer that could implement the solution poperly by creating packet
    >> filtering rules.
    >>

    >
    > I wouldn`t say "properly"..
    >
    > With a network firewall, you cannot see directly, which application
    > sent the packet or established a connection. But you can block packets
    > based on criteria that that application may use. like tcp port and app
    > layer protocol. .It is not literally blocking application blah
    > though. The techie world does [or have produced software or
    > techniques to] evade this sort of thing and get through the firewall.


    It's not the job of a FW to be blocking applications. A persoanl FW/packet
    filter is not a FW. The job of a FW is to stop inbound and outbound packets
    coming from the network it is protecting against, and also and leaving the
    network if rules have been set to stop outbound packets. A FW sits at tje
    juction point between two networks.

    >
    > With a software firewall on each machine - an example you did not
    > mention for obvious reasons - one app could pretend to be another.
    > That firewallleaktest site prob has examples. But at least with that
    > you can identify what application sent the packet, if it is not being
    > evasive or malicious.


    If the machine has been compromised, then there is nothing running on the
    machine that can stop it, other than, the O/S if it has the means to do so.
    So you stop something with a PFW. But what about the boot a login process
    that the malware can beat the PFW to the connection and get out, because the
    PFW is not an integrated part of the O/S that O/S is going to make other
    services wait until the FW is up and running. And besides that, malware can
    fool the packet filter with app. control running with the O/S, like it can
    fool the O/S with both of them running with the O/S.

    And most users flat-out do not know what is legit or non-legit traffic in a
    typical situation when they are being asked the questions.
    > And as far as I know, the regular techie world has not come up with a
    > way to evade that one! I see malware doing it all the time. But
    > techies are not running commands to let one application pretend to be
    > another.. I guess it is because the need has not arisen. Companies do
    > not - and with good reason - run a PFW on each machine! I don`t know
    > if a techie software firewall like perhaps winipfw, or, I don`t know
    > if it is a software firewall, but this ipsec thing you mention
    > sometimes (is it a fw?), can see the application that sent the packet.
    >


    Like I said, if the solution is not using two NIC(s), it's not a FW solution
    and is just a packet filter.


  2. Re: How did they get past my NAT?

    Leythos wrote:

    > In article <9e2f2f06-9ae5-41fb-867b-fd30940fcbe6
    > @f13g2000hsa.googlegroups.com>, jameshanley39@yahoo.co.uk says...
    > > On 19 Nov, 10:23, Leythos wrote:
    > > > In article <533b5129-d008-4dd3-ac15-33ab1c6c5c11
    > > > @v4g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
    > > >
    > > >
    > > >
    > > > > On Nov 18, 11:54 pm, Leythos wrote:
    > > > > > In article > > > > > @w73g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk
    > > > > > says...
    > > >
    > > > > > > Leythos is keen on
    > > > > > > blocking certain outgoing so he`d probably know of some
    > > > > > > examples.
    > > >
    > > > > > SMTP, SQL Command, Windows File Sharing, IM......
    > > >
    > > > > > I don't allow outbound SMTP from workstations ever.
    > > >
    > > > > > I don't allow outbound SQL Command from anything, ever.
    > > >
    > > > > > Windows File Sharing, DNS, etc... never from the local
    > > > > > workstations..
    > > >
    > > > > > IM - only from approved workstations....
    > > >
    > > > > > While DNS is not a easy exploit the others permit LAN
    > > > > > machines to spread malware to people on the net with exposed
    > > > > > machines.
    > > >
    > > > > if you block SMTP. Can users only send email via Yahoo like
    > > > > websites? I guess you don`t block some SMTP and not others,
    > > > > since how would you distinguish between good and bad. They
    > > > > could(knowingly or not) be bad and use your SMTP server You`d
    > > > > have to block all.. Do you have no SMTP server ?
    > > >
    > > > Yahoo? Who uses Yahoo?
    > > >
    > > > If you don't have your own email server in your network then you
    > > > can limit your SMTP outbound to just the IP of your ISP's SMTP
    > > > server - this will cause most SMTP bots to be limited to just the
    > > > SMTP service of your ISP and they will contact you shortly after
    > > > you are compromised.
    > > >
    > > > And yes, we block all SMTP Outbound from Workstations/Devices,
    > > > Except for our own SMTP server - if you're not using our SMTP
    > > > server then you're not using SMTP.

    > >
    > > the SMTP server that malicious programs are most likely to access
    > > when on your network, is your SMTP server. Since most SMTP servers
    > > are not "open relays".

    >
    > You seem to think that only an smpt server uses SMTP - but the only
    > compromised SMTP servers I've seen in years were workstations/laptops
    > where the idiot had compromised their workstation is a malware that
    > installs its own SMTP engine - the laptop becomes a SMTP server
    > sending out hundreds of emails with the infection included per
    > minute. The malware, in every case, didn't attempt to use the
    > internal SMTP server, it had it's own built into it.
    >
    > There are many threats, I look for more than just the common ones.


    I too have seen what I think you describe. users running as
    administrator get compromised their windows firewall is taken down and
    they end up with an smtp server and others connecting(incoming) or
    trying to connect. I think mostly they are saved by their NAT router.
    That is a common one!!

    They are screwed if they run a Bridge or half bridge thing. Where
    there is no NAT. Like some USB dsl modems and perhaps PCI DSL modems.
    Typically with those things the PPP is done by windows. ipconfig
    displays their public ip. Malicious people connect successfully , spam
    gets sent out from the user`s computer and user gets a threatening
    email from their ISP to get rid of it or else.

    But, we were talking of blocking outgoing, and thus outgoing smtp.





  3. Re: How did they get past my NAT?

    Unruh wrote:
    > "jameshanley39@yahoo.co.uk" writes:
    >
    >> On 18 Oct, 19:14, Leythos wrote:
    >>> In article , unruh-s...@physics.ubc.ca
    >>> says...
    >>>
    >>>
    >>>
    >>>> Yes, agreed. But that is irrelevant. The question is not whether or not a
    >>>> firewall is more flexible than a NAT router, it is. The question is whether
    >>>> there is a difference in security against unsolicited outside attacks
    >>>> between a firewall which blocks all unsolicited outside connections, and a
    >>>> NAT router with no port holes punched through (Ie no ports forwarded).
    >>> Yes, there is a difference.
    >>>
    >>> All quality firewalls have certifications from independent authorities
    >>> that will state how they work and that they are actually providing xyz.

    >
    > I am sorry, but you regard paper as a valid computer defense. Who cares if
    > they have a piece of paper attached? The question is not who has the paper
    > trail, but who has the security.
    >


    True but one of the things this also shows is that it has been ( thoroughly)
    peer-reviewed by ( experts).I have my doubts as well since there is a lot of
    potential for fraud in this space.

    I like to think of it as the commercial variant to opensource software.
    eg with many eyes bugs are shallow.

    >>> NAT Routers have no certification (at least in the class we're talking
    >>> about) and have been shown, many times, to have exploits that allow
    >>> Unsolicited inbound traffic to pass through - even with no rules set by
    >>> the owner.

    >
    > As have firewalls as times.
    >
    >
    >
    >> Where has it been shown many times?

    >
    >> ( Not shown [many times] in this newsgroup. I first heard of any such
    >> issue from a few months ago perhaps, from Sebastian, on this
    >> newsgroup, and since by Volker. In a thread where you were advocating
    >> NAT for - I thought - blocking incoming )

    >
    >
    >


  4. Re: How did they get past my NAT?

    On Oct 11, 10:31 am, Maniaque wrote:
    > On Oct 11, 6:31 am, Leythos wrote:
    >
    > > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.c om>,
    > > maniaqu...@gmail.com says...

    >
    > > A NAT is not a firewall at all, it's basic routing - Most non-technical
    > > types call NAT Routers firewalls, they are not.

    >
    > That I understand, but I'm always a little confused about what the
    > difference Exactly is... a firewall is a device that only allows
    > connections that you want to allow - a NAT is a device that allows
    > outgoing connections arbitrarily, but normally (or only sometimes? see
    > the STUN information Chris mentioned) prevents arbitrary incoming
    > connections. Most home routers additionally claim to have a "firewall"
    > function that you can turn on / off (including the WRT54G) - when do
    > you decide what is and what is not a ffirewall? I really would like to
    > know, it's something that's puzled me for years. Some things are
    > clearly not a firewall at all, like a "Full-cone" NAT router. Some
    > things are clearly a firewall first, and anything else after, like one
    > of those Cisco devices. But aren't most home routers somewhere in-
    > between?
    >

    A true Firewall is a packet and port filter and is able to filter in
    both directions. Basically a firewall regulates the flow of traffic
    between 2 or more computer networks.
    >
    > > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    > > inbound traffic, that's all.

    >
    > not true. the WRT54G can block outgoing connections based on any
    > number of specified parameters, and then it has all those extra fancy
    > features that I don't understand
    >
    > Firewall Protection: Enable Disable
    > Additional Filters
    > Filter Proxy Filter Cookies
    > Filter Java Applets Filter ActiveX
    > Block Portscans Filter P2P Applications
    > Block WAN Requests
    > Block Anonymous Internet Requests
    > Filter Multicast
    > Filter Internet NAT Redirection
    > Filter IDENT(Port 113)
    >

    It is still not a TRUE firewall because it can't filter by port.
    >
    > > No, port forwarding is what your problem is - if you forward ports then
    > > you expose your computer/network and that's how people reach your
    > > computer to do things you don't want.

    >
    > Only if they get past the intended security of the service in
    > question, right?
    >

    Port forwarding is used to allow unsolicited inbound traffic to pass
    through to a server listening on a certain port. Port forwarding only
    forwards traffic on the specified port. So if you hosting email then
    you would enable port forwarding on port 25.
    >
    > > You should learn to post in one group or to cross post so that your
    > > thread is easy to work with for multiple groups that you've done this
    > > in.

    >
    > Yep, thanks.
    >
    > Tao



    Hope that is helpful,

    Hex

+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4