How did they get past my NAT?
Maniaque
Sorry I'm new here, not sure this is the right newsgroup to post to -
I have a question that is about routers, security, and connectivity
all rolled into one.
Yesterday while I was working on my desktop all of a sudden a session
kicked in on my VNC server - my desktop background image disappeared
and the RealVNC system tray icon turned black to indicate a session in
progress. Within a couple of seconds, something hit my start menu, run
dialog, "cmd", and typed "TFT" in the new command prompt window. At
this point I panicked and shutdown the VNC service ASAP.
This post is not actually about the VNC problem, I found out today
that the version I used had a known security flaw that allowed
bypassing the password prompt. That is clearly what happened there,
and could be easily fixed with upgrading to the newest version.
My question is how the attacker got to my VNC port!
Here's all the background I can muster:
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
- I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
- I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \
- I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
- I WAS running uTorrent at the time of the attack (and had been for
a few hours)
- I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.
Now my understanding is that "85.239.126.86" being an internet
address, for the VNC session to work that address would need to be
routable - the only way that that address could be routed on my
network is through the ADLS router / gateway (I think). In theory I
guess there could have been some sort of local tunnel set up, but I
assume that would have required a virtual network adapter to have been
set up on my computer? (I saw nothing like that, and virus and spyware
scans have come up clean).
If it was routed through my router, how could the attacker have
convinced the router to initiate the communication to my internal port
5900 on that particular machine??? The safety of a NAT, as I
understand it, is that remote hosts cannot access an internal address
unless there is explicit port forwarding enabled, or the session is
initiated by a host behind the NAT, is that not correct?
I guess I'm only coming to the real point of my post now - assuming
that I'm on the right track, and that this communication on port 5900
was happily handled by my router, could it have been initiated my
another program on my desktop, specifically the uTorrent client? I've
been logging sessions on my router since this morning, and I see that
client connections are opened by the uTorrent client (very frequently,
thousands per hour) with random local port numbers, that slowly seem
to increase / cycle. It is possible that the uTorrent client made a
client connection using local port number 5900 (which was also being
used by the VNC server), and the computer/remote host that the
uTorrent client was connecting to took advantage of this situation to
test / probe / attack the VNC server on that port?
I guess the questions are:
- it it possible for a client TCP connection to be initiated by a
local "client" program from a port that is already being used by a
"server" program, like VNC server?
- what are the chances, statistically speaking, that this would
happen? Would it be worth a hacker's time to set up servers as
bittorrent participants / seeds in the hopes that some client computer
makes a connection using a special port (eg VNC), which could then
allow the computer's VNC server to be probed / tested for the known
VNC vulnerability? It's the only explanation that I can think of, but
I just can't see how it would be worth a hacker's time!
Final blurb: I set up a syslog server on my desktop and have been
logging all incoming and outgoing sessions from my router (generating
a nasty amount of log data, but I'll put up with it). This way I'll be
able to see how the session gets set up, if I ever become aware of
another similar situation. I will upgrade my VNC server of course, so
the attack would need to use another vector. My concern of course is
that I may NOT be aware of it next time. My desktop is not hardened as
a public server with all ports exposed - I'm very much counting on the
fact that only specific selected ports should be accessible from
outside. In theory, if any port on the desktop can be exposed, then my
windows filesharing setup is just one of the things that would be
vulnerable to brute-force attack. Is there anything else I can do to
investigate this or help prevent future issues? Does anyone have any
experience with the Xavi router or GlobespanVirata chipset that could
help me get it set up to prevent this from happening again? For now I
will probably install a local firewall on the desktop allowing only
the servers I need to work, but that of course makes all sorts of
things more complicated - file and printer sharing, VPN client
software setup, HTTP proxy setup, etc etc. I just wish I could feel
safe in my own network again!
Sorry about the monster first post, I would appreciate any and all
feedback.
Thanks,
Tao
Sebastian G.
> - I do not have the firewall enabled on the router, because I assumed
> the NAT basically made it safe.
NAT doesn't make it safe.
> If it was routed through my router, how could the attacker have
> convinced the router to initiate the communication to my internal port
> 5900 on that particular machine???
Simply ask for it? Wait until it comes up?
> The safety of a NAT, as I
> understand it, is that remote hosts cannot access an internal address
> unless there is explicit port forwarding enabled, or the session is
> initiated by a host behind the NAT, is that not correct?
What about implicit forwarding, for example by protocol helper implementations?
> It is possible that the uTorrent client made a
> client connection using local port number 5900 (which was also being
> used by the VNC server), and the computer/remote host that the
> uTorrent client was connecting to took advantage of this situation to
> test / probe / attack the VNC server on that port?
No.
> I guess the questions are:
> - it it possible for a client TCP connection to be initiated by a
> local "client" program from a port that is already being used by a
> "server" program, like VNC server?
No, but using a protocol helper you can do this for a different port.
> - what are the chances, statistically speaking, that this would
> happen? Would it be worth a hacker's time to set up servers as
> bittorrent participants / seeds in the hopes that some client computer
> makes a connection using a special port (eg VNC), which could then
> allow the computer's VNC server to be probed / tested for the known
> VNC vulnerability? It's the only explanation that I can think of, but
> I just can't see how it would be worth a hacker's time!
Assuming that the timeout for the NAT table entries is five minutes, it
could be a completely different source.
> I'm very much counting on the
> fact that only specific selected ports should be accessible from
> outside.
Then implement this concept.
> In theory, if any port on the desktop can be exposed, then my
> windows filesharing setup is just one of the things that would be
> vulnerable to brute-force attack.
Or DoS attacks.
> Is there anything else I can do to
> investigate this or help prevent future issues? Does anyone have any
> experience with the Xavi router or GlobespanVirata chipset that could
> help me get it set up to prevent this from happening again?
Maybe, but unless you know the implementation....
Maniaque
made to wear the donkey hat and stand in the corner of the
classroom... :)
On Oct 10, 12:35 pm, "Sebastian G." <se...@seppig.de> wrote:
> Simply ask for it?
What do you mean by "Ask for it"? If I do that (from outside the
network), I get no response, because there is no "Default host" set up
behind my NAT, and no port forwarding for that port - if an explicit
port forwarding has not been set up, how can a remote host "Ask for"
that server? Is this something that is allowed by the average NAT but
requires extra network programming skills?
> Wait until it comes up?
But why would it ever come up? Why would that port ever be opened to
the outside from that machine? The port is bound to the VNC server (so
no other program on the desktop should be able to do anything with it,
as I understand?), and not forwarded on the router, so there should be
no reason for a NAT session entry pointing that port to the outside
ever to be opened, right? (I certainly don't open VNC connections to
the internet, despite my limited knowledge I am very aware that basic
VNC communication is totally unprotected, both authentication and
data)
>
> > The safety of a NAT, as I
> > understand it, is that remote hosts cannot access an internal address
> > unless there is explicit port forwarding enabled, or the session is
> > initiated by a host behind the NAT, is that not correct?
>
> What about implicit forwarding, for example by protocol helper implementations?
>
Sounds interesting, what is this? Is this the sort of thing that can
sometimes make regular "Active" FTP work from behind a NAT, where the
firewall automatically sees the FTP control port communication and
opens up/forwards the data port as required? If so, how could the
router be convinced to do this for an arbitrary port? Is there some
sort of standard for triggering this behaviour?
I have just tested Active FTP from behind my NAT and it did not work
(to an FTP server where passive FTP is working without issues) - does
that say anything about this possibility?
>
> > I guess the questions are:
> > - it it possible for a client TCP connection to be initiated by a
> > local "client" program from a port that is already being used by a
> > "server" program, like VNC server?
>
> No, but using a protocol helper you can do this for a different port.
I've searched online for any information about "protocol helper", it
seems to be synonymous with "IP helper" - I see a windows API, but
that looks like it would reuire the attacker to be running arbitrary C/
C++ code on the desktop (or other device on the network?). Do you know
where I could find any information about what this is, how it works
etc?
>
> Assuming that the timeout for the NAT table entries is five minutes, it
> could be a completely different source.
>
OK, I'm going to show my complete lack of understanding about how NAT
works here (if I haven't already :)), but it's the NAT device keeping
track of the ip addresses (and some additional "magic" session
information?) at both ends of the communication? What happens if two
client machines try to open a connection from the same client-side
port at the same time, does the NAT simply refuse one of them? I was
under the impression that there could be multiple machines
communicating to/from the same port from behind a NAT without
problems. For that to be true, the NAT device would need to be looking
at each incoming packet and sending it to the correct internal host
based on some filtering logic, right (rather than a simple temporary
port-to-host mapping table)? Are you saying that some arbitrary third-
party IP address can send in a packet and have it be routed to a
specific host behind the NAT, as long as the attacker has seen one of
the packets of the communication between the legitimate remote host
and the local host behind the NAT?
If I understand what you are saying correctly, and a remote attacker
can actually direct arbitrary packets into any Existing NAT session by
spying on a legitimate packet destined to/from the NAT-ed host, that
still doesn't explain how the port session could be opened on the NAT
device in the first place - is this where you are saying that the
"Protocol Helper" comes in?
> > I'm very much counting on the
> > fact that only specific selected ports should be accessible from
> > outside.
>
> Then implement this concept.
>
So... given that my ADSL connection uses PPPoA (which is non-
bridgeable I believe, as opposed to PPPoE), I would need to set up a
second router/firewall/NAT device like a linksys wrt54G to sit behind
the telecoms-operator-provided Xavi router, forward the appropriate
ports through both devices, and make sure that the firewall is turned
on on the wrt54g? I can only assume that what was "missing" in my
original setup was a firewall (which my adsl router claims to have,
but when I turn it on all the port forwarding stops working, which
sort of defeats the purpose). Or do you have any other suggestions on
how this can be done using home equipment?
> > In theory, if any port on the desktop can be exposed, then my
> > windows filesharing setup is just one of the things that would be
> > vulnerable to brute-force attack.
>
> Or DoS attacks.
Meh, I'm not so concerned. Why would anyone bother? I'm a home user,
I'm running a silly little website with 10 pageviews/month, my only
concern is that someone gets into my machine / network and installs
malicious code, spies on me, enlists my computer into a botnet of some
sort, turns me into an infection vector for some or other virus /
worm / trojan, etc. That would suck. It is incredibly unpleasant to
have your desktop suddenly taken over via VNC, too, although I don't
think that can happen again in quite the same way, I did upgrade away
from the defective RealVNC version.
>
> > Is there anything else I can do to
> > investigate this or help prevent future issues? Does anyone have any
> > experience with the Xavi router or GlobespanVirata chipset that could
> > help me get it set up to prevent this from happening again?
>
> Maybe, but unless you know the implementation....
Not sure what you meant here - I know exactly how I have everything
set up, but I don't know much about the workings / functionality of
the router itself. There are no configuration manuals online or
anything. In fact, I was able to get it to forward logging info to a
syslog server on my desktop by browsing through and editing the
"configuration backup" file, but afterwards remembered what I'd read a
few months ago on some forum - you have to turn logging off on this
router, because otherwise it hangs when it runs out of log space. No
cycling, no "forward to syslog server but do not store locally", it
simply hangs.
So it looks like at an absolute minimum I'm going to need to set up
the second-level linksys wrt54g firewall/router, but I guess I'd like
your criticism if you have any thoughts on the sensibleness of this
idea, and whether it helps to "implement this concept" as you
suggested above :)
Thanks so much for the feedback!
Tao
Leythos
mania...@gmail.com says...
> I would need to set up a
> second router/firewall/NAT device like a linksys wrt54G to sit behind
> the telecoms-operator-provided Xavi router, forward the appropriate
> ports through both devices, and make sure that the firewall is turned
> on on the wrt54g? I can only assume that what was "missing" in my
> original setup was a firewall (which my adsl router claims to have,
> but when I turn it on all the port forwarding stops working, which
> sort of defeats the purpose). Or do you have any other suggestions on
> how this can be done using home equipment?
A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.
a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.
No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.
You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Chris Davies
> - I am running an ADSL router, "Xavi" brand, "7028r" model, and it
> seems to run a "GlobespanVirata" chipset. This was provided to me by
> my previous ADSL provider, Telefonica Spain.
I have also used a badged GlobespanVirata running in NAT with no firewall
but with selected port forwarding. (Behind that runs a linux box that
does have a firewall, but that's moot just now.)
> - I have certain very specific ports forwarded to my desktop for
> remote access, peer-to-peer connectivity, etc. \
> - I am NOT forwarding either of the VNC ports (standard ports 5900
> and 5800), so to my limited knowledge the VNC service should not be
> accessible from the internet.
Based on what you're saying, I'd concur with you.
> - I do not have the firewall enabled on the router, because I assumed
> the NAT basically made it safe.
NAT will inherently block all externally originated inbound traffic with
the exception of those ports that you have selected for port forwarding.
On that understanding it makes for an adequate external facing firewall.
It is not a good substitude for a proper thought-out policy and
implementation, though.
> I tried enabling the router firewall
> today but it also seems to block the services that I need to be able
> to access from the internet (eg HTTP, I run a small webserver), so
> that does not work for me.
Again, based on my experience with the GV chipset and firmware I'd agree
with you there, too.
> - I WAS running uTorrent at the time of the attack (and had been for
> a few hours)
> Now my understanding is that "85.239.126.86" being an internet
> address, for the VNC session to work that address would need to be
> routable - the only way that that address could be routed on my
> network is through the ADLS router / gateway (I think).
Or through some other port-forwarded service. (Instant messenger flaw,
SOCKS, internal web proxy,...)
> In theory I
> guess there could have been some sort of local tunnel set up, but I
> assume that would have required a virtual network adapter to have been
> set up on my computer? (I saw nothing like that, and virus and spyware
> scans have come up clean).
Your virus/spyware scans obviously didn't pick up that you were running
the flawed VNC service (I wouldn't expect them to do so), so they won't
pick up any other software you run that has similar security flaws. I'd
check them all out if I were you.
I'd also be inclined to boot cold (if you can) and run a virus checker
from outside your installed OS. If you're up to it, then either pop
your disk drive into a different Windows box and scan from that known
safe system, or else get a Linux-based "live CD" distribution and run
something like clam AV (with all its updates, please!) against your
installed OS. Otherwise there's no guarantee that your AV software hasn't
been modified by some virus/trojan you've accidentally installed.
> If it was routed through my router, how could the attacker have
> convinced the router to initiate the communication to my internal port
> 5900 on that particular machine??? The safety of a NAT, as I
> understand it, is that remote hosts cannot access an internal address
> unless there is explicit port forwarding enabled, or the session is
> initiated by a host behind the NAT, is that not correct?
That's correct. Further, the GV chipset that I have - which /may/ or may
not be the same as yours - does NAT such that a rule only allows traffic
on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT
devices are more liberal than that. I say they're broken. STUN users
say they're great.)
> I guess I'm only coming to the real point of my post now - assuming
> that I'm on the right track, and that this communication on port 5900
> was happily handled by my router, could it have been initiated my
> another program on my desktop, specifically the uTorrent client?
I thought that Bit Torrent was essentially built around a UDP based
protocol. VNC on the other hand is TCP. So, no, I don't see how one
could influence the other. Trojans and flawed software not withstanding.
> I've
> been logging sessions on my router since this morning, and I see that
> client connections are opened by the uTorrent client (very frequently,
> thousands per hour) with random local port numbers, that slowly seem
> to increase / cycle.
That's typical behaviour, yes.
> It is possible that the uTorrent client made a
> client connection using local port number 5900 (which was also being
> used by the VNC server), and the computer/remote host that the
> uTorrent client was connecting to took advantage of this situation to
> test / probe / attack the VNC server on that port?
This should not be possible.
> - it it possible for a client TCP connection to be initiated by a
> local "client" program from a port that is already being used by a
> "server" program, like VNC server?
It is possible for a service to bind to a port using INADDR_ANY ("listen
for connections to this port on all local interfaces"), and for another
process to bind more tightly to that port ("listen for connections to
this port from this specific local interface"), but then that second
process would receive the connection request rather than the original.
However, also bear in mind that VNC can be used to initiate a
server session (i.e. it pushes your screen out to a remote viewing
client). Perhaps you - or some trojan - accidentally triggered this?
Chris
Maniaque
>
> > - I do not have the firewall enabled on the router, because I assumed
> > the NAT basically made it safe.
>
> NAT will inherently block all externally originated inbound traffic with
> the exception of those ports that you have selected for port forwarding.
> On that understanding it makes for an adequate external facing firewall.
> It is not a good substitude for a proper thought-out policy and
> implementation, though.
>
hmm, subtle dig? :)
> > - I WAS running uTorrent at the time of the attack (and had been for
> > a few hours)
> > Now my understanding is that "85.239.126.86" being an internet
> > address, for the VNC session to work that address would need to be
> > routable - the only way that that address could be routed on my
> > network is through the ADLS router / gateway (I think).
>
> Or through some other port-forwarded service. (Instant messenger flaw,
> SOCKS, internal web proxy,...)
>
right, but would it show up logged with the public IP address in my
event log? That's what I'm surprised by - the VNC client / attacker
did not look like it was coming from some local address that was being
tunneled by some local proxy or malware - it was logged as a public
internet address - does that not mean that it had to go through my
regular NIC? Or are you saying that the malware would have set up its
own routing rules in windows to forward traffic for that specific IP
to itself instead of my regular NIC - to do that, would it not need to
show up in some device list in windows? Sorry, my lack of knowledge
about OS-level networking in windows is clear here.
> > In theory I
> > guess there could have been some sort of local tunnel set up, but I
> > assume that would have required a virtual network adapter to have been
> > set up on my computer? (I saw nothing like that, and virus and spyware
> > scans have come up clean).
>
> Your virus/spyware scans obviously didn't pick up that you were running
> the flawed VNC service (I wouldn't expect them to do so), so they won't
> pick up any other software you run that has similar security flaws. I'd
> check them all out if I were you.
Yep, still doing. Next check is Apache, it's been a little while since
I upgraded.
In another thread that I inelegantly cross-posted, Leythos (other post
above) provided lots of helpful advice on better scanning for malware,
I'll have a go at that too:
http://groups.google.com/group/alt.computer.security/browse_thread/thread/9e3101dbc319cc28/#
>
> I'd also be inclined to boot cold (if you can) and run a virus checker
> from outside your installed OS. If you're up to it, then either pop
> your disk drive into a different Windows box and scan from that known
> safe system, or else get a Linux-based "live CD" distribution and run
> something like clam AV (with all its updates, please!) against your
> installed OS. Otherwise there's no guarantee that your AV software hasn't
> been modified by some virus/trojan you've accidentally installed.
>
Yep, will do, thanks!
> > If it was routed through my router, how could the attacker have
> > convinced the router to initiate the communication to my internal port
> > 5900 on that particular machine??? The safety of a NAT, as I
> > understand it, is that remote hosts cannot access an internal address
> > unless there is explicit port forwarding enabled, or the session is
> > initiated by a host behind the NAT, is that not correct?
>
> That's correct. Further, the GV chipset that I have - which /may/ or may
> not be the same as yours - does NAT such that a rule only allows traffic
> on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT
> devices are more liberal than that. I say they're broken. STUN users
> say they're great.)
Woah, now there's an interesting bit of news! Based on the diagram at
this wikipedia article, it looks like the only types of NAT that would
fit my assumptions, and consequently be "as safe as I expected", would
be a "Symmetric" NAT and a "Restricted Port" NAT?
http://en.wikipedia.org/wiki/STUN
I'll have to get my hands on a STUN client (and access to a server) to
see if I can test this out - if I understand correctly anything other
than Symmetric and Restricted Port is "Bad", in that it could allow
open windows for remote hosts to contact me on ports that I do not
want, or for hosts that I have not reached out to to reach out to me -
both of these were things I did not think were allowed by a normal
NAT, outside of special "Per-Protocol" exceptions like Active FTP.
>
> > I guess I'm only coming to the real point of my post now - assuming
> > that I'm on the right track, and that this communication on port 5900
> > was happily handled by my router, could it have been initiated my
> > another program on my desktop, specifically the uTorrent client?
>
> I thought that Bit Torrent was essentially built around a UDP based
> protocol. VNC on the other hand is TCP. So, no, I don't see how one
> could influence the other. Trojans and flawed software not withstanding.
ok, thank for confirming. I guess I'll wait to see if Sebastian G gets
back to me with any refutations of this "NAT-shielding-against-public-
access-of-services" theory.
>
> > - it it possible for a client TCP connection to be initiated by a
> > local "client" program from a port that is already being used by a
> > "server" program, like VNC server?
>
> It is possible for a service to bind to a port using INADDR_ANY ("listen
> for connections to this port on all local interfaces"), and for another
> process to bind more tightly to that port ("listen for connections to
> this port from this specific local interface"), but then that second
> process would receive the connection request rather than the original.
>
Right, exactly what IIS does. I did not know that this was inherent to
the O/S, thanks for confirming.
> However, also bear in mind that VNC can be used to initiate a
> server session (i.e. it pushes your screen out to a remote viewing
> client). Perhaps you - or some trojan - accidentally triggered this?
>
Hmm, thanks for that, but no - my VNC server event log entries clearly
show the connection coming in from outside, without any authentication
step between the connection being accepted and my killing the server
after they had successfully reached my desktop session (which is the
signature of the VNC vulnerability, I checked it and tried it myself
before upgrading to the patched/newer VNC version):
Connections: accepted: 85.239.126.86::4623
Connections: closed: 85.239.126.86::4623 (Server shutdown)
Thanks very much for the help!
Tao
Maniaque
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> maniaqu...@gmail.com says...
>
>
> A NAT is not a firewall at all, it's basic routing - Most non-technical
> types call NAT Routers firewalls, they are not.
That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?
>
> a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> inbound traffic, that's all.
not true. the WRT54G can block outgoing connections based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)
Firewall Protection: Enable Disable
Additional Filters
Filter Proxy Filter Cookies
Filter Java Applets Filter ActiveX
Block Portscans Filter P2P Applications
Block WAN Requests
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)
>
> No, port forwarding is what your problem is - if you forward ports then
> you expose your computer/network and that's how people reach your
> computer to do things you don't want.
>
Only if they get past the intended security of the service in
question, right?
> You should learn to post in one group or to cross post so that your
> thread is easy to work with for multiple groups that you've done this
> in.
>
Yep, thanks.
Tao
Leythos
mania...@gmail.com says...
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)
it's a NAT device that can block outbound ports - it has no clue what
those ports are and doesn't know the difference between HTTP and SMTP
except that they use different ports.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
Maniaque
thread I badly cross-posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.comp.networking.connectivity/browse_thread/thread/8c6a972156a51e0d/#
My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html
On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.
Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was.
Thanks for all your help!
Tao
Leythos
mania...@gmail.com says...
> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
> wrong above) has an Active FTP "NAT Helper" which allows any program
> with TCP-connection-creation priviledges on any of my computers to
> open an incoming port to this machine from a target site on the
> internet.
Another reason to never trust the ISP/Vendor supplied hardware.
Always get your own NAT/Firewall appliance and then you control
everything and manage it.
goarilla
> Maniaque wrote:
>
>
>> - I do not have the firewall enabled on the router, because I assumed
>> the NAT basically made it safe.
>
>
> NAT doesn't make it safe.
>
>> If it was routed through my router, how could the attacker have
>> convinced the router to initiate the communication to my internal port
>> 5900 on that particular machine???
>
>
> Simply ask for it? Wait until it comes up?
huh ? what doe you mean keep sending SYN packets to a certain port and
wait untill
the connection is established ?
>
>> The safety of a NAT, as I
>> understand it, is that remote hosts cannot access an internal address
>> unless there is explicit port forwarding enabled, or the session is
>> initiated by a host behind the NAT, is that not correct?
>
>
> What about implicit forwarding, for example by protocol helper
> implementations?
are you talking about uPNP ?
Sebastian G.
>> Simply ask for it? Wait until it comes up?
>
> huh ? what doe you mean keep sending SYN packets to a certain port and
> wait until the connection is established ?
Exactly. Of course, the cause of such a forwarding rule appearing in the NAT
state table might be highly unrelated.
>> What about implicit forwarding, for example by protocol helper
>> implementations?
>
> are you talking about uPNP ?
No, this would be rather straight-forward. I'm talking about application
layer protocol engines that inspect the traffic and setup proper rules. For
example, if the implementation sees traffic like "PORT 192,168,0,1,47,11",
it might believe that it's part of an Active FTP session setup and might add
an appropriate rule for the reply.
Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to
that client, without even checking for the actual protocol.
Even worse, what about connections to 1119/TCP? Very likely that it's a
computer game using Battle.net Online service, so better forward
5000-10000/TCP to that client... oh, and there the VNC server goes.
Sebastian G.
>> A NAT is not a firewall at all, it's basic routing - Most non-technical
>> types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections.
NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
connections might be a particularly useless side effect, depending on the
implementation. It has nothing to do with security.
> Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G)
Yes, but this is not related to NAT.
goarilla
> In article <1192120303.4...@g4g2000hsf.googlegroups.com>,
> mania...@gmail.com says...
>> not true. the WRT54G can block outgoing connections based on any
>> number of specified parameters, and then it has all those extra fancy
>> features that I don't understand ;)
>
> it's a NAT device that can block outbound ports - it has no clue what
> those ports are and doesn't know the difference between HTTP and SMTP
> except that they use different ports.
>
just some questions with as goal to learn more
so you call a firewall something with complex heuristics ?
really does iptables provide more than filtering between protocol, port
and state information, and do people actually use it. Because in essence
iirc
a nat router does the same it opens up a connection if somebody on the
inside requests it
and after that allows the connection untill it's broken down (FIN or RST)
do i have a point here or not ?
goarilla
> In article <1192128212....@22g2000hsm.googlegroups.com>,
> mania...@gmail.com says...
>> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
>> wrong above) has an Active FTP "NAT Helper" which allows any program
>> with TCP-connection-creation priviledges on any of my computers to
>> open an incoming port to this machine from a target site on the
>> internet.
>
> Another reason to never trust the ISP/Vendor supplied hardware.
>
> Always get your own NAT/Firewall appliance and then you control
> everything and manage it.
>
the problem is ... some ISP's filter on specific device (MAC), some
ISP's lent you the router for
personal usage and some ISP's dissallow other so called 'not supported'
router and put a
clause in little lettres on your contract.
here in belgium it's actually pretty worse in this field. even worse the
biggest ISP here belgacom
disallows secured pop (ssl/tls) or imap to non business users, which
still costs +40 EURO/month.
goarilla
there is your problem you haven't upgraded in a while and you let people
into your website ? (port 80 is forwarded at your NAT to your WAMP box )
do you mean i haven't upgraded windows in a while or apache
or both ?
Leythos
DOT paulus AT skynet DOT be"> says...
Does the device, in the standard/default mode, block traffic in both
directions?
Does the device know the difference between HTTP and SMTP or only TCP 80
and TCP 25?
Does the device understand being attacked and auto-block sources of
attacks or unauthorized traffic?
Does the device use NAT or can it be setup with rules without using NAT?
If it forces NAT then I don't consider it a firewall unless it can do
all the others - since MOST of the devices that force NAT are
residential device (yea, not all inclusive, but you should get the idea
without us going off the deep end).
goarilla
> In article <470e921a$0$29265$ba62...@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>>> In article <1192120303.4...@g4g2000hsf.googlegroups.com>,
>>> mania...@gmail.com says...
>>>> not true. the WRT54G can block outgoing connections based on any
>>>> number of specified parameters, and then it has all those extra fancy
>>>> features that I don't understand ;)
>>> it's a NAT device that can block outbound ports - it has no clue what
>>> those ports are and doesn't know the difference between HTTP and SMTP
>>> except that they use different ports.
>>>
>> just some questions with as goal to learn more
>>
>> so you call a firewall something with complex heuristics ?
>> really does iptables provide more than filtering between protocol, port
>> and state information, and do people actually use it. Because in essence
>> iirc
>> a nat router does the same it opens up a connection if somebody on the
>> inside requests it
>> and after that allows the connection untill it's broken down (FIN or RST)
>> do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?
no ok you got me here, it only does this for INBOUND traffic but i myself
don't block outbound traffic on my box (slackware) as well
because i consider myself knowledgeable enough to be trusted :D
> Does the device know the difference between HTTP and SMTP or only TCP 80
> and TCP 25?
>
> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?
>
> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).
>
>
>
do you consider netfilter to be a firewall (well in essence it's a
statefull packet filter)
because iirc there is no smtp or http netfilter module
and it does its filtering mostly on the data link and transport
protocol's headers
like most firewalls do. it would be very costly performance wise to
implement
application protocol filters into firewalls and i've yet to see one that
does
also implementing complex heuristics because let's face it the higher
you go up in
the tcp/ip stack the more complex the headers and payload become, the
more bugs you'll get
in the code that does the heuristics --> the more flaws there are to be
exploited!
goarilla
Maniaque
>
> No, this would be rather straight-forward. I'm talking about application
> layer protocol engines that inspect the traffic and setup proper rules. For
> example, if the implementation sees traffic like "PORT 192,168,0,1,47,11",
> it might believe that it's part of an Active FTP session setup and might add
> an appropriate rule for the reply.
> Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
> protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to
> that client, without even checking for the actual protocol.
> Even worse, what about connections to 1119/TCP? Very likely that it's a
> computer game using Battle.net Online service, so better forward
> 5000-10000/TCP to that client... oh, and there the VNC server goes.
> NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
> connections might be a particularly useless side effect, depending on the
> implementation. It has nothing to do with security.
OK, so I guess my source of confusion is with regards to "Intended
Purpose" vs "Effect". A completely basic Symmetrical NAT effectively
does the same basic thing a basic firewall will often be used to do -
prevent unintended inbound traffic, allow outbound traffic, optionally
allow inbound traffic on specified ports to a specified server.
However, the "Intended Purpose" of a NAT is actually to allow multiple
machines behind a network to coexist using one public IP address,
besides the most basic symmetric NAT features, any additional features
(heuristic detection of traffic intention, protocol helpers, "full-
cone" or "restricted cone" functionality, etc) will take you further
and further from the "safety" I assumed. By contrast, while the most
basic firewall in the most common configuration may basically be doing
the same thing as the most basic NAT I described, the more
sophisticated the firewall gets, the better it gets at enhancing said
"safety", eg allowing the Active FTP Data connection only on the
condition that the traffic from the remote server is made up of valid
FTP data... does this sound like a reasonable summary of the
distinction? This basically means that ANY home router that implements
anything other than the most basic symmetric NAT with no extra
features, should also contain a firewall, turned on by default, to
limit the exposure to the internet, because every additional "helper"
feature in the NAT makes the network behind it a little more public /
exposed.
Thanks for the clarification - I'm still ridiculously happy to have
found the actual (or significantly most likely) cause of the other
day's debacle and be able to address it easily :)
Thanks,
Tao
Leythos
> >
> statefull packet filter)
> because iirc there is no smtp or http netfilter module
> and it does its filtering mostly on the data link and transport
> protocol's headers
> like most firewalls do. it would be very costly performance wise to
> implement
> application protocol filters into firewalls and i've yet to see one that
> does
> also implementing complex heuristics because let's face it the higher
> you go up in
> the tcp/ip stack the more complex the headers and payload become, the
> more bugs you'll get
> in the code that does the heuristics --> the more flaws there are to be
> exploited!
Sorry, but I don't consider NAT Routers to be firewalls, they are
routers with some fancy features, not firewalls.
Many "Firewalls" do know the difference between SMTP and traffic over
TCP 25 - so, while you've yet to see one, you just are not working with
the better hardware out there.
As for Bugs, yes, but I only purchase certified appliances, ones from
vendors that have a proven record of staying secure and clean, so I
trust that a LOT more than what most people use in their homes.
Todd H.
> In article <470e921a$0$29265$ba62...@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
> > Leythos wrote:
> > > In article <1192120303.4...@g4g2000hsf.googlegroups.com>,
> > > mania...@gmail.com says...
> > >> not true. the WRT54G can block outgoing connections based on any
> > >> number of specified parameters, and then it has all those extra fancy
> > >> features that I don't understand ;)
> > >
> > > it's a NAT device that can block outbound ports - it has no clue what
> > > those ports are and doesn't know the difference between HTTP and SMTP
> > > except that they use different ports.
> > >
> >
> > just some questions with as goal to learn more
> >
> > so you call a firewall something with complex heuristics ?
> > really does iptables provide more than filtering between protocol, port
> > and state information, and do people actually use it. Because in essence
> > iirc
> > a nat router does the same it opens up a connection if somebody on the
> > inside requests it
> > and after that allows the connection untill it's broken down (FIN or RST)
> > do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?
A cat5 cable cut in half does. Is it a firewall?
> Does the device know the difference between HTTP and SMTP or only
> TCP 80 and TCP 25?
Firewalls in the traditional definition never did, were they not
firewalls? Application-level protocol recognition is only recently on
the scene, yet we've had things people called "firewalls" existing for
quite a while before that. I'd hate to think I didn't get the memo
about someone changing the definition of "firewall" with the
International Standards Organization.
> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?
So when did the definition of "firewall" start requiring it to also
fit the definition of "network intrusion prevention device" or
"network intrusion detection device?"
Just curious.
> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).
Ah, okay here's where we come down to brass tacks--with the use of the
word "I."
Seme folks seem to have their own definition of a firewall that
doesn't match that accepted by over the course of a lot of networking
history inlcluding the present. This view categorically rejects those
devices which don't fit a personally crafted unique definition of
"firewalls."
Unfortunately, it's pedantic and pointless. But then again, so it
much of the banter by the more abusive posters here. To protect their
identity, we won't mention Leythos and Sebastian by name.
Now, that's not to say there isn't something to learn about the range
of functionality one might want to consider in their border protection
in the narrow definition such folks try to paint, but being so prickly
about what to call a "firewall" and what to call a "NAT router" is
just a freakin waste of time. Better to say "corporate grade border
security appliance" which has built into the obvious fact that
functionality and features of corporate grade hardware exceed that of
$70 Linksys gear popular among home and small office users.
And let's not forget that there was a time not very long ago where the
fucntionality packed into your garden variety wrt54g (particularly one
packing the fucntionality of third party firmware) took a HELL of alot
of much more expensive hardware and was certainly considered a
"firewall." And still is for that matter.
Those with what I'll call this "modern purist" view may be shocked to
see the breadth of defintions for our friend the firewall that are in
existence that cast a much bigger net than his own:
http://www.google.com/search?q=define%3Afirewall
We now return you to your regularly scheduled semantic argument.
Best Regards,
--
Todd H.
http://www.toddh.net/
Chris Davies
>> > - I do not have the firewall enabled on the router, because I assumed
>> > the NAT basically made it safe.
> On Oct 11, 8:48 am, Chris Davies <chris-use...@roaima.co.uk> wrote:
>> NAT will inherently block all externally originated inbound traffic with
>> the exception of those ports that you have selected for port forwarding.
>> On that understanding it makes for an adequate external facing firewall.
>> It is not a good substitude for a proper thought-out policy and
>> implementation, though.
>>
> hmm, subtle dig? :)
Not at you.
> right, but would it show up logged with the public IP address in my
> event log? That's what I'm surprised by - the VNC client / attacker
> did not look like it was coming from some local address that was being
> tunneled by some local proxy or malware - it was logged as a public
> internet address - does that not mean that it had to go through my
> regular NIC? Or are you saying that the malware would have set up its
> own routing rules in windows to forward traffic for that specific IP
> to itself instead of my regular NIC - to do that, would it not need to
> show up in some device list in windows? Sorry, my lack of knowledge
> about OS-level networking in windows is clear here.
Don't know.
> Woah, now there's an interesting bit of news! Based on the diagram at
> this wikipedia article, it looks like the only types of NAT that would
> fit my assumptions, and consequently be "as safe as I expected", would
> be a "Symmetric" NAT and a "Restricted Port" NAT?
> http://en.wikipedia.org/wiki/STUN
My GV-based box does Symmetric NAT, with port preservation whenever
possible.
Chris
Leythos
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.
I've not been Abusive to any person here. While I certainly know that
NAT appliances are not firewalls (but firewalls can do NAT), there is a
misconception as to what the public is being told a firewall is.
Yea, you don't like it, you must be one that purchased one of those
BEFSR41 units and fell for the "it's a firewall" crap - did you know
that when the BEFSR41 was introduced it was called a ROUTER with no
mention of firewall - a year later, with no changes, it was being
marketed as a "Firewall" - same box, same firmware.....
So, like it or not Todd H, most residential users are not using
firewalls, they are using ROUTERS.
God Rudy
> [this is a repost, I also sent to alt.computer.security]
> ------>SNIP<----------------------
>
> My question is how the attacker got to my VNC port!
>
> Here's all the background I can muster:
> ------------>SNIP<-------------
> - I have certain very specific ports forwarded to my desktop for
> remote access, peer-to-peer connectivity, etc. \
>
>------------->SNIP<-----------------
> Thanks,
> Tao
My personal guess:
The "visitor" came over one of the open ports.
Especialy "remote access" sounds "inviting"!
Peer-to-peer is another possibility.
I would open those ports only when needed.
(And only for that time)
(And only for one IP-Address)
Just my 2 cents
Rudy
Sebastian G.
>> No, this would be rather straight-forward. I'm talking about application
>> layer protocol engines that inspect the traffic and setup proper rules.
>> For example, if the implementation sees traffic like "PORT
>> 192,168,0,1,47,11", it might believe that it's part of an Active FTP
>> session setup and might add an appropriate rule for the reply.
>> Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P
>> protocol), it might decide to permanently forward 4662/TCP and 4665/UDP
>> to that client, without even checking for the actual protocol.
>> Even worse, what about connections to 1119/TCP? Very likely that it's a
>> computer game using Battle.net Online service, so better forward
>> 5000-10000/TCP to that client... oh, and there the VNC server goes.
> that would be a shitty NAT router/gateway !
I'd say this would be an excellent gateway for the low-cost consumer market.
Since it tries to avoid hassles with the NAT, the user is happy and, due to
lowerr support costs, the vendor is happy. That's exactly why they implement
it that way.
goarilla
true but then again people who use things like that shouldn't be allowed
to have
a router/network in my humble opinion. these are prob the same folks
that go on fastrack
or edonkey and share their c:\ drive. but if my router did that (5000-10000)
i would throw it out of the winow in an instant.
Sebastian G.
> OK, so I guess my source of confusion is with regards to "Intended
> Purpose" vs "Effect". A completely basic Symmetrical NAT effectively
> does the same basic thing a basic firewall will often be used to do -
> prevent unintended inbound traffic, allow outbound traffic, optionally
> allow inbound traffic on specified ports to a specified server.
For 1:1 NAT aka IP masquerading you got it quite wrong: Such an
implementation could and even should forward every incoming connection,
because the target is always exactly known. For 1:many, dropping the
incoming connections would be the only correct, but not surely the most
reasonable implementation.
> eg allowing the Active FTP Data connection only on the
> condition that the traffic from the remote server is made up of valid
> FTP data...
FTP data traffic is not directly defined to be related to the control data.
Let's say the client surfs to a website containing a Java or Flash applet
that implements the FTP protocol, it might still issue correct commands to
open associated ports.
Rick Merrill
> In article <470e9db8$0$22311$ba62...@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> do you consider netfilter to be a firewall (well in essence it's a
>> statefull packet filter)
>> because iirc there is no smtp or http netfilter module
>> and it does its filtering mostly on the data link and transport
>> protocol's headers
>> like most firewalls do. it would be very costly performance wise to
>> implement
>> application protocol filters into firewalls and i've yet to see one that
>> does
>> also implementing complex heuristics because let's face it the higher
>> you go up in
>> the tcp/ip stack the more complex the headers and payload become, the
>> more bugs you'll get
>> in the code that does the heuristics --> the more flaws there are to be
>> exploited!
>
> Sorry, but I don't consider NAT Routers to be firewalls, they are
> routers with some fancy features, not firewalls.
If the router closes all ports and conceals LAN IP addresses
then it's just as good, and in one respect better than, any
software firewall.
Todd H.
Uh oh. Someone said "software firewall."
Brace for the impending ranting about how they aren't firewalls
either.
Rick Merrill
opps, I didn't expect to get off scott free.
Unruh
IF it closes all ports (nat is irrelevant). But the hypothesis of the
thread was that ports were being punched through the router. Note that a
router which refuses to pass on ports IS a firewall. And since it operates
on software loaded on the router, it is a software firewall.
Leythos
rick0....@NOSPAM.gmail.com says...
Actually, a NAT Router is better than any PERSONAL firewall solution
installed on a non-dedicated computer.
goarilla
distribution (iptables)
and is there such a big difference between a firewall that has its code
burned in flash (firmware)
and a firewall that hooks into the tcp/ip stack of a a general purpose OS
Leythos
As long as it a dedicated computer and not one that users are
playing/working on, then it can easily be a firewall. Checkpoint running
on a Nix OS is a great example of a dedicated server class firewall -
notice the dedicated.
With all that is available at a reasonable cost today, a firewall that
is just a router is not really a firewall. The appliances I install can
tell the difference between SMTP and HTTP or FTP and do a lot more,
that's the least I would install.
This still goes back to these cheap residential units called firewalls
by the marketing department - if you look up NAT, it's routing, simple
and plain, not Firewalling.
Todd H.
> This still goes back to these cheap residential units called firewalls
> by the marketing department - if you look up NAT, it's routing, simple
> and plain, not Firewalling.
And if you look up firewalling um... it can be implemented by.... wait
for it.....
ROUTERS!
I don't dispute marketing departments being very prone to overblowing
capabilities of many devices, but show me a good citation from a
widely known source for "firewall" implying or requiring all the
things you include in your definition.
Point is, it's not nearly as narrowly defined as you seem to require.
No doubt a "firewall" appliance that implements IPS, IDS, allows
no traffic by default, has the ability to provide a higher level of
security than your garden variety broadband router for the home office
market, but... that does not mean the latter class of devices don't
also fit the definition of firewall. They're just lesser firewall
appliances.
Leythos
> Leythos <vo...@nowhere.lan> writes:
>
> > This still goes back to these cheap residential units called firewalls
> > by the marketing department - if you look up NAT, it's routing, simple
> > and plain, not Firewalling.
>
> And if you look up firewalling um... it can be implemented by.... wait
> for it.....
>
> ROUTERS!
Firewalls can route, routers are not firewalls.
> I don't dispute marketing departments being very prone to overblowing
> capabilities of many devices, but show me a good citation from a
> widely known source for "firewall" implying or requiring all the
> things you include in your definition.
>
> Point is, it's not nearly as narrowly defined as you seem to require.
>
> No doubt a "firewall" appliance that implements IPS, IDS, allows
> no traffic by default, has the ability to provide a higher level of
> security than your garden variety broadband router for the home office
> market, but... that does not mean the latter class of devices don't
> also fit the definition of firewall. They're just lesser firewall
> appliances.
I'll give you that, but people seem to think a firewall will protect
them from many things that these NAT Routers don't protect them from,
and a firewall appliance can and does protect them from.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
Unruh
And now you are going to tell us what the difference is between a NAT
router that rejects all incoming unsolicited connections, and a firewall
that rejects all unsolicited incoming connections.
It is certainly true that a firewall can be a slightly less blunt
instrument, and can reject or accept more subtly that a NAT router can, but
IF that router is set up not to do any port forwarding, then it is also a
firewall set up to reject all incoming connections.
Sebastian G.
> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.
There are two major differences:
1. NAT is not designed to work as a security solution.
2. Depending on the implementation, it might forward the connection anyway
without any explicit rule.
Leythos
says...
> And now you are going to tell us what the difference is between a NAT
> router that rejects all incoming unsolicited connections, and a firewall
> that rejects all unsolicited incoming connections.
> It is certainly true that a firewall can be a slightly less blunt
> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.
No, I'm not going to go around in circles for you - you've already shown
that you can't comprehend what is written vs what you think was written.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
nemo_outis
news:MPG.217d12e55...@adfree.Usenet.com:
...snip more of Leythos' whinging...
Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only
by your tenacity.
Regards,
Leythos
says...
I see you're still trolling - since you can't be smart enough to
understand that my view/opinion/expereinces were not claimed to be world
encompassing, even though you took them that way....
nemo_outis
news:MPG.217d4df26...@adfree.Usenet.com:
...snip yet more of Leyhtos' whining...
Still hard at the weaselling, eh Leythos?
C'mon, don't stop now, just when you're on a roll, Leythos.
C'mon, say something else really stupid, Leythos, and then defend it to the
death with you pathetic weaselling. C'mon, Leythos!
Regards,
Unruh
So might an incompetent firewall. A competently implimented NAT does work
as a firewall IF set to not forward any unsolicited packetc.
Of course you have to decide if your particular NAT is a competent
implimentation. HOwever if you punch holes ( have it forward ports) all
bets are off.
Leythos
says...
No, you don't have to decide, there are quality groups, CERT for one,
that can test and tell us if they pass the proper test to be qualified
as a firewall. NAT is not a firewall function, it is often included in
firewalls, but it is not a firewall function.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like pcbutts1 that
Sebastian G.
>> 1. NAT is not designed to work as a security solution.
>> 2. Depending on the implementation, it might forward the connection anyway
>> without any explicit rule.
>
> So might an incompetent firewall. A competently implimented NAT does work
> as a firewall IF set to not forward any unsolicited packetc.
Wrong.
- A completely correct NAT implementation might also do a full forwarding in
a 1:1 setup.
- As well as it might forward every unsolicited packet to a specified host
on a 1:many setup (the DMZ host)...
- Reading layer 7 protocols and associate states isn't wrong either.
> Of course you have to decide if your particular NAT is a competent
> implimentation. HOwever if you punch holes ( have it forward ports) all
> bets are off.
What about punching holes from the inside? With a Java applet, you can
create a connection back to a server with a freely chosen port > 1023. With
Flash applets, you can even get < 1024 with some nifty (documented) tricks.
Now just create a connection from $local_ip:53 to $your_server:12345, drop
the connection from the client side, and if the victim fires up his local
DNS server within the timeout period... without a real firewall explicitly
denying any outside access to port 53, even for session-related packets, you
won't get any further. And with NAT alone, you can't solve this dilemma at all.
Unruh
>In article <gGOQi.14414$G25.13546@edtnps89>, unruh...@physics.ubc.ca
>says...
>> "Sebastian G." <se...@seppig.de> writes:
>>
>> > > It is certainly true that a firewall can be a slightly less blunt
>>
>> >> instrument, and can reject or accept more subtly that a NAT router can, but
>> >> IF that router is set up not to do any port forwarding, then it is also a
>> >> firewall set up to reject all incoming connections.
>>
>> >There are two major differences:
>>
>> >1. NAT is not designed to work as a security solution.
>> >2. Depending on the implementation, it might forward the connection anyway
>> >without any explicit rule.
>>
>> So might an incompetent firewall. A competently implimented NAT does work
>> as a firewall IF set to not forward any unsolicited packetc.
>> Of course you have to decide if your particular NAT is a competent
>> implimentation. HOwever if you punch holes ( have it forward ports) all
>> bets are off.
>No, you don't have to decide, there are quality groups, CERT for one,
>that can test and tell us if they pass the proper test to be qualified
>as a firewall. NAT is not a firewall function, it is often included in
>firewalls, but it is not a firewall function.
The question was not whether NAT was a firewall function but whether NAT
with no port holes punched through was effectively a firewall allowing no
unsolicited incoming traffic.
Is there a way in which a NAT router, with no holes punched through, is
more insecure than a firewall which rejects all unsolicited incoming
traffic? If you claim it is more insecure, please tell us why.
Sebastian G.
> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.
It is, for three reasons:
1. If a connection is initiated from the inside, all related traffic from
the outside is forwarded. For a firewall you'd need to add such a rule
explicitly, and you could still overwrite it (e.g. generally denying access
to a certain port range for every incoming connection from the WAN).
2. Depending on the implementation, a NAT router itself might decide to
forward a connection based on assumptions about various Layer 7 protocols.
3. NAT was never designed to be a security solution, but rather to provide
connectivity (even the RFC about NAT explicitly states that!). So you should
never assume that a NAT implementation simply drops a connection for which
it doesn't know any state.
Leythos
says...
> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.
And you're all wet because a firewall protects in both directions.
Unruh
>Unruh wrote:
>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.
>It is, for three reasons:
>1. If a connection is initiated from the inside, all related traffic from
>the outside is forwarded. For a firewall you'd need to add such a rule
>explicitly, and you could still overwrite it (e.g. generally denying access
>to a certain port range for every incoming connection from the WAN).
Not at all sure what you mean. I initiate a http connection. The response
better get through both on a firewall and on a NAT.
>2. Depending on the implementation, a NAT router itself might decide to
>forward a connection based on assumptions about various Layer 7 protocols.
?? Not clear what you mean. This sounds like a bad implimentation.
Unruh
>In article <KacRi.33135$%B2.844@edtnps82>, unruh...@physics.ubc.ca
>says...
>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.
>And you're all wet because a firewall protects in both directions.
Protects what in both directions? We are talking about and outsider
attacking a machine behind the NAT/firewall. What is the relevance of "both
directions" to the issue at hand?
Leythos
says...
> "Sebastian G." <se...@seppig.de> writes:
>
> >Unruh wrote:
>
>
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >It is, for three reasons:
>
> >1. If a connection is initiated from the inside, all related traffic from
> >the outside is forwarded. For a firewall you'd need to add such a rule
> >explicitly, and you could still overwrite it (e.g. generally denying access
> >to a certain port range for every incoming connection from the WAN).
>
> Not at all sure what you mean. I initiate a http connection. The response
> better get through both on a firewall and on a NAT.
Actually, it depends, when using a firewall, on the HTTP rule as to you
getting through or not.
In many cases you might allow HTTP from certain users or certain
internal IP or IP ranges and not allow HTTP from all other ranges - your
NAT Router can't do that, but a firewall can.
Leythos
says...
You don't appear to know about "both directions" and in many cases you
don't allow ALL OUTBOUND, in fact, there is little reason to allow all
outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
networks. I might only allow SMTP outbound from 1 IP in the LAN and I
might want to block outbound connections except from a small range of IP
in the LAN but not in the DMZ - a firewall can do that, your home NAT
ROUTER can't.
What about the DMZ network? Most NAT Routers have the option - but most
of them don't actually setup/use a DMZ network, it's just an IP on the
LAN that gets ALL traffic not forwarded to some other area - which means
it's NOT a DMZ and it's not protected from/to the LAN - A firewall
doesn't make that mistake.
goarilla
> In article <kdhRi.33209$%B2.7020@edtnps82>, unruh...@physics.ubc.ca
> says...
>> Leythos <vo...@nowhere.lan> writes:
>>
>>> In article <KacRi.33135$%B2.844@edtnps82>, unruh...@physics.ubc.ca
>>> says...
>>>> The question was not whether NAT was a firewall function but whether NAT
>>>> with no port holes punched through was effectively a firewall allowing no
>>>> unsolicited incoming traffic.
>>>>
>>>> Is there a way in which a NAT router, with no holes punched through, is
>>>> more insecure than a firewall which rejects all unsolicited incoming
>>>> traffic? If you claim it is more insecure, please tell us why.
>>> And you're all wet because a firewall protects in both directions.
>> Protects what in both directions? We are talking about and outsider
>> attacking a machine behind the NAT/firewall. What is the relevance of "both
>> directions" to the issue at hand?
>
> You don't appear to know about "both directions" and in many cases you
> don't allow ALL OUTBOUND, in fact, there is little reason to allow all
> outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
>
> I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
> networks. I might only allow SMTP outbound from 1 IP in the LAN and I
> might want to block outbound connections except from a small range of IP
> in the LAN but not in the DMZ - a firewall can do that, your home NAT
> ROUTER can't.
little question, just for the sake of education
a router splits up broadcast domains iirc and doesn't forward broadcasts
unless specified
so netbios broadcasts (eg who is master browser ... ) are NOT forwarded
and well
netbios requests as default should never define a destination ip that
needs to be gatewayed
eg if your lan is 192.168.1.* then it should never send packets to
192.168.1.0.
well i think that's the way it works with win xp sp2 + and Unix SAMBA
because i have sniffed and sniffed
but never saw a netbios packet with a destination that required the
router to forward it to the wan side
i do however outbound filter my SMB servers (2 x slackware mahcines)
since i can't be certain 100 %. the question is: is this somehow correct
and/or if not please elaborate i just want to learn and spread what i've
learned
in no way i mean to start flamewars or belittle people.
> What about the DMZ network? Most NAT Routers have the option - but most
> of them don't actually setup/use a DMZ network, it's just an IP on the
> LAN that gets ALL traffic not forwarded to some other area - which means
> it's NOT a DMZ and it's not protected from/to the LAN - A firewall
> doesn't make that mistake.
>
true most DMZ's on home routers are not real DMZ's
Leythos
> since i can't be certain 100 %. the question is: is this somehow correct
> and/or if not please elaborate i just want to learn and spread what i've
> learned
> in no way i mean to start flamewars or belittle people.
Watch your logs, it will open your eyes as to what is leaving your
network.
goarilla
> In article <4715f6e4$0$29264$ba62...@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> i do however outbound filter my SMB servers (2 x slackware mahcines)
>> since i can't be certain 100 %. the question is: is this somehow correct
>> and/or if not please elaborate i just want to learn and spread what i've
>> learned
>> in no way i mean to start flamewars or belittle people.
>
> Watch your logs, it will open your eyes as to what is leaving your
> network.
>
everything syslog records ?
i'll guess i'll probably have to increase samba logging as well
since atm smbd prints only start time of the process
Hexalon
> On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
>
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> > maniaqu...@gmail.com says...
>
> > A NAT is not a firewall at all, it's basic routing - Most non-technical
> > types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections. Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G) - when do
> you decide what is and what is not a ffirewall? I really would like to
> know, it's something that's puzled me for years. Some things are
> clearly not a firewall at all, like a "Full-cone" NAT router. Some
> things are clearly a firewall first, and anything else after, like one
> of those Cisco devices. But aren't most home routers somewhere in-
> between?
>
>
>
> > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> > inbound traffic, that's all.
>
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)
>
> Firewall Protection: Enable Disable
> Additional Filters
> Filter Proxy Filter Cookies
> Filter Java Applets Filter ActiveX
> Block Portscans Filter P2P Applications
> Block WAN Requests
> Block Anonymous Internet Requests
> Filter Multicast
> Filter Internet NAT Redirection
> Filter IDENT(Port 113)
>
>
>
> > No, port forwarding is what your problem is - if you forward ports then
> > you expose your computer/network and that's how people reach your
> > computer to do things you don't want.
>
> Only if they get past the intended security of the service in
> question, right?
>
> > You should learn to post in one group or to cross post so that your
> > thread is easy to work with for multiple groups that you've done this
> > in.
>
> Yep, thanks.
>
> Tao
A Firewall is packet and port filter. That's all. NAT routers have a
similar effect of a firewall. It is possible you have something
lurking in your computer that is advertising your computer on the
internet. Something like a BotNet type program.
Unruh
>In article <WbhRi.33208$%B2.23616@edtnps82>, unruh...@physics.ubc.ca
>says...
>> "Sebastian G." <se...@seppig.de> writes:
>>
>> >Unruh wrote:
>>
>>
>> >> The question was not whether NAT was a firewall function but whether NAT
>> >> with no port holes punched through was effectively a firewall allowing no
>> >> unsolicited incoming traffic.
>> >>
>> >> Is there a way in which a NAT router, with no holes punched through, is
>> >> more insecure than a firewall which rejects all unsolicited incoming
>> >> traffic? If you claim it is more insecure, please tell us why.
>>
>> >It is, for three reasons:
>>
>> >1. If a connection is initiated from the inside, all related traffic from
>> >the outside is forwarded. For a firewall you'd need to add such a rule
>> >explicitly, and you could still overwrite it (e.g. generally denying access
>> >to a certain port range for every incoming connection from the WAN).
>>
>> Not at all sure what you mean. I initiate a http connection. The response
>> better get through both on a firewall and on a NAT.
>Actually, it depends, when using a firewall, on the HTTP rule as to you
>getting through or not.
>In many cases you might allow HTTP from certain users or certain
>internal IP or IP ranges and not allow HTTP from all other ranges - your
>NAT Router can't do that, but a firewall can.
Yes, agreed. But that is irrelevant. The question is not whether or not a
firewall is more flexible than a NAT router, it is. The question is whether
there is a difference in security against unsolicited outside attacks
between a firewall which blocks all unsolicited outside connections, and a
NAT router with no port holes punched through (Ie no ports forwarded).
Leythos
says...
>
> Yes, agreed. But that is irrelevant. The question is not whether or not a
> firewall is more flexible than a NAT router, it is. The question is whether
> there is a difference in security against unsolicited outside attacks
> between a firewall which blocks all unsolicited outside connections, and a
> NAT router with no port holes punched through (Ie no ports forwarded).
Yes, there is a difference.
All quality firewalls have certifications from independent authorities
that will state how they work and that they are actually providing xyz.
NAT Routers have no certification (at least in the class we're talking
about) and have been shown, many times, to have exploits that allow
Unsolicited inbound traffic to pass through - even with no rules set by
the owner.
--
Leythos - spam9...@rrohio.com (remove 999 to email me)
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
jamesh...@yahoo.co.uk
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> maniaqu...@gmail.com says...
>
> > second router/firewall/NAT device like a linksys wrt54G to sit behind
> > the telecoms-operator-provided Xavi router, forward the appropriate
> > ports through both devices, and make sure that the firewall is turned
> > on on the wrt54g? I can only assume that what was "missing" in my
> > original setup was a firewall (which my adsl router claims to have,
> > but when I turn it on all the port forwarding stops working, which
> > sort of defeats the purpose). Or do you have any other suggestions on
> > how this can be done using home equipment?
>
> A NAT is not a firewall at all, it's basic routing
<snip>
Not it is not Routing. Routing can be done with or without NAT.
A basic book like Computer Networking first step by Wendell Odom
published by Cisco Press would explain Routing.
Anyhow, saying that NAT is not a firewall does not explain how this
happened.
NAT Blocks incoming, unless port forwarding. He says he didn`t have
port forwarding set up to port 5900, where his VNC server got the
connection. Let`s assume that he checked afterwards to make sure the
port was not forwarded.
So, how did it happen?
Aside from Sebastian G`s cryptic explanation, I don`t see you
offerring an explanation.
jamesh...@yahoo.co.uk
You are actually one among many that suggests NAT for security ,
perhaps rightly so, but this should then concern you.
I see Sebastian G has elaborated in further posts.
--
Leythos
jamesh...@yahoo.co.uk says...
> NAT Blocks incoming, unless port forwarding. He says he didn`t have
> port forwarding set up to port 5900, where his VNC server got the
> connection. Let`s assume that he checked afterwards to make sure the
> port was not forwarded.
>
> So, how did it happen?
He did have port forwarding enabled, not 5900, but he was hosting
services.
So, any number of things could have exposed his network and then the
hacker could use anything they wanted. Simple, really, exploit a hole in
service X, add your own app or use one installed, get access to other
things.
As for Routing, I don't need a lesson, I was talking about his device,
which is a ROUTER not a firewall.
I can place any of my firewalls in DROP-IN (non-routed) mode and have
the same IP's on all jacks - then the rules determine what passes
between jacks - he can't do that on his cheap NAT Router.
Leythos
says...
> Leythos <vo...@nowhere.lan> writes:
>
> >In article <LWNRi.11385$GO5.3118@edtnps90>, unruh...@physics.ubc.ca
> >says...
> >>
> >> Yes, agreed. But that is irrelevant. The question is not whether or not a
> >> firewall is more flexible than a NAT router, it is. The question is whether
> >> there is a difference in security against unsolicited outside attacks
> >> between a firewall which blocks all unsolicited outside connections, and a
> >> NAT router with no port holes punched through (Ie no ports forwarded).
>
> >Yes, there is a difference.
>
> >All quality firewalls have certifications from independent authorities
> >that will state how they work and that they are actually providing xyz.
>
> >NAT Routers have no certification (at least in the class we're talking
> >about) and have been shown, many times, to have exploits that allow
> >Unsolicited inbound traffic to pass through - even with no rules set by
> >the owner.
>
> firewalls are. If true, a reasonable argument. Actually you say, "have been
> shown"-- by whom?
>
> Mind you you stated at the top that you were only concerned with quality
> firewalls. Does that mean if I say "quality NAT routers" you would agree
> that the two are equivalent?
No, I would not. There is no governing body to determine what IS or IS
NOT quality. NAT does not make a firewall.
Show me a NAT Router that passes CERT testing as a firewall and I'll
change my opinion.
Volker Birk
Usually, that's not true. You may want to think about what's called "NAT
helpers".
Usually, it's not a problem to get through a NAT implementation. Skype,
for example, does this as default.
Yours,
VB.
--
"Die Funktionsprinzipien des Rechtsstaates sind den Funktionsprinzipien
des Präventionsstaates entgegengesetzt."
Erhard Denninger
Professor für Öffentliches Recht und Rechtsphilosophie, Uni Frankfurt
Maniaque
> In article <1192735170.708582.241...@q5g2000prf.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
> > port forwarding set up to port 5900, where his VNC server got the
> > connection. Let`s assume that he checked afterwards to make sure the
> > port was not forwarded.
>
> > So, how did it happen?
>
> He did have port forwarding enabled, not 5900, but he was hosting
> services.
>
> So, any number of things could have exposed his network and then the
> hacker could use anything they wanted. Simple, really, exploit a hole in
> service X, add your own app or use one installed, get access to other
> things.
>
And just as this flamewar dies out, I'd like to pitch in again. I
cannot be absolutely certain what caused the issue as I had little
logging enabled, but as I have previously stated, I'm pretty confident
that this issue was due to a "Active FTP NAT Helper", as originally
suggested by Sebastian G and illustrated with Micheal Ziegler's help.
As a result of this issue I upgraded my home router to the latest
Tomato firmware (1.11), in which the author has kindly added an option
to disable the NAT helper.
The test page I linked somewhere above for the NAT Helper
"vulnerability" now happily shows that nothing gets through, with
status "500 Go away (PORT IP mismatch).".
Leythos, if exploiting a hole in any service X is as simple as you
seem to think (without you knowing anything about the services
involved), it's truly amazing to me that the internet still more or
less works :)
Thanks,
Tao
jamesh...@yahoo.co.uk
> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> says...
>
>
>
> > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > firewall is more flexible than a NAT router, it is. The question is whether
> > there is a difference in security against unsolicited outside attacks
> > between a firewall which blocks all unsolicited outside connections, and a
> > NAT router with no port holes punched through (Ie no ports forwarded).
>
> Yes, there is a difference.
>
> All quality firewalls have certifications from independent authorities
> that will state how they work and that they are actually providing xyz.
>
> NAT Routers have no certification (at least in the class we're talking
> about) and have been shown, many times, to have exploits that allow
> Unsolicited inbound traffic to pass through - even with no rules set by
> the owner.
>
Where has it been shown many times?
( Not shown [many times] in this newsgroup. I first heard of any such
issue from a few months ago perhaps, from Sebastian, on this
newsgroup, and since by Volker. In a thread where you were advocating
NAT for - I thought - blocking incoming )
Leythos
jamesh...@yahoo.co.uk says...
Try google for reference materials.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
jamesh...@yahoo.co.uk
> Leythos <v...@nowhere.lan> writes:
> > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla <"kevin
> > DOT paulus AT skynet DOT be"> says...
> > > > In article <1192120303.414117.236...@g4g2000hsf.googlegroups.com>,
> > > > maniaqu...@gmail.com says...
> > > >> not true. the WRT54G can block outgoing connections based on any
> > > >> number of specified parameters, and then it has all those extra fancy
> > > >> features that I don't understand ;)
>
> > > > those ports are and doesn't know the difference between HTTP and SMTP
> > > > except that they use different ports.
>
> > > just some questions with as goal to learn more
>
> > > so you call a firewall something with complex heuristics ?
> > > really does iptables provide more than filtering between protocol, port
> > > and state information, and do people actually use it. Because in essence
> > > iirc
> > > a nat router does the same it opens up a connection if somebody on the
> > > inside requests it
> > > and after that allows the connection untill it's broken down (FIN or RST)
> > > do i have a point here or not ?
>
> > Does the device, in the standard/default mode, block traffic in both
> > directions?
>
> A cat5 cable cut in half does. Is it a firewall?
>
> > Does the device know the difference between HTTP and SMTP or only
> > TCP 80 and TCP 25?
>
> Firewalls in the traditional definition never did, were they not
> firewalls? Application-level protocol recognition is only recently on
> the scene, yet we've had things people called "firewalls" existing for
> quite a while before that. I'd hate to think I didn't get the memo
> about someone changing the definition of "firewall" with the
> International Standards Organization.
>
> > Does the device understand being attacked and auto-block sources of
> > attacks or unauthorized traffic?
>
> So when did the definition of "firewall" start requiring it to also
> fit the definition of "network intrusion prevention device" or
> "network intrusion detection device?"
>
> Just curious.
>
> > Does the device use NAT or can it be setup with rules without using NAT?
> > If it forces NAT then I don't consider it a firewall unless it can do
> > all the others - since MOST of the devices that force NAT are
> > residential device (yea, not all inclusive, but you should get the idea
> > without us going off the deep end).
>
> Ah, okay here's where we come down to brass tacks--with the use of the
> word "I."
>
> Seme folks seem to have their own definition of a firewall that
> doesn't match that accepted by over the course of a lot of networking
> history inlcluding the present. This view categorically rejects those
> devices which don't fit a personally crafted unique definition of
> "firewalls."
>
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.
>
> Now, that's not to say there isn't something to learn about the range
> of functionality one might want to consider in their border protection
> in the narrow definition such folks try to paint, but being so prickly
> about what to call a "firewall" and what to call a "NAT router" is
> just a freakin waste of time. Better to say "corporate grade border
> security appliance" which has built into the obvious fact that
> functionality and features of corporate grade hardware exceed that of
> $70 Linksys gear popular among home and small office users.
>
> And let's not forget that there was a time not very long ago where the
> fucntionality packed into your garden variety wrt54g (particularly one
> packing the fucntionality of third party firmware) took a HELL of alot
> of much more expensive hardware and was certainly considered a
> "firewall." And still is for that matter.
>
> Those with what I'll call this "modern purist" view may be shocked to
> see the breadth of defintions for our friend the firewall that are in
> existence that cast a much bigger net than his own:
> http://www.google.com/search?q=define%3Afirewall
>
> We now return you to your regularly scheduled semantic argument.
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/-
unfortunately, those that make a point like the one you make , are
less vocal.
you mention
"
I'd hate to think I didn't get the memo about someone changing the
definition of "firewall" with the International Standards Organization
"
what is the ISO definition of firewall ? I couldn`t find it
can you name some of the firewalls you used in the past, that didn`t
do much more than the "traditional definition". And can you define the
traditional definition ?
What I would GUESS, is that a firewall is a packet filter and a packet
filter is a firewall. Same thing. Can be Device(network firewall) or
Software.
a packet filter controls a network by selectively allowing or blocking
packets.
packet filter is always Layer 3 (stateless/static packet filter)
and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
(definition based on webopedia and the one given in the docs for the
openbsd pf program)
It rules out the broken cable you mentioned ;-)
jamesh...@yahoo.co.uk
rules out NAT Router too. which is probably good.
http://en.wikipedia.org/wiki/Firewall_(networking)
differs with webopedia, it calls "packet filter" only the first
generation of firewall. at the network layer of the OSI model. (though
if it accesses tcp port , that is something at Layer 4 too).
So, by that definition, SPI != packet filter.
That page does talk of a firewall as sitting between 2 networks.
perhaps, as oppose to an individual computer from a network.
It does not mention about if a concept may be flawed.. like running a
software firewall on a non dedicated machine.
Arnold@arnold.com Mr. Arnold
<jamesh...@yahoo.co.uk> wrote in message
news:d7665587-94fc-4017...@l22g2000hsc.googlegroups.com...
To keep it simplistic for you, the Internet is a massive/giant network the
Wide Area Network being protected from by the firewall. The network being
protected by the FW is the Local Area Network.
> It does not mention about if a concept may be flawed.. like running a
> software firewall on a non dedicated machine.
Your concept of a FW is flawed. A FW must separate two networks. The network
it is protecting from, and the network it is protecting. A FW must have at
least two network interfaces. One interface must face the WAN, and the other
interface must face the LAN. In the case of a software FW running on a
secured host computer, the computer must have two NIC(s) with one facing the
WAN and the other one facing the LAN.
If a software solution is not using two NIC(s), it's not a FW, but rather,
it's a machine level packet filter protecting at the machine level.
Unruh
If service X has a hole, then service X can be exploited. Clearly the
attacker knows which services to try since those are the ports you have
open. And exploiting service X means they have entry to your machine. And
if they have entry to your machine, then they can do what they want.
Why exactly do you say that the internet works? There are probably millions
of machines out there that are owned by outsiders- ie on which outsiders
can do what they want. They primarily use them for launching phishing and
spam attacks on the world. Your definition of "works" needs upgrading.
>Thanks,
>Tao
Unruh
>On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
>> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
>> says...
>>
>>
>>
>> > Yes, agreed. But that is irrelevant. The question is not whether or not a
>> > firewall is more flexible than a NAT router, it is. The question is whether
>> > there is a difference in security against unsolicited outside attacks
>> > between a firewall which blocks all unsolicited outside connections, and a
>> > NAT router with no port holes punched through (Ie no ports forwarded).
>>
>> Yes, there is a difference.
>>
>> All quality firewalls have certifications from independent authorities
>> that will state how they work and that they are actually providing xyz.
I am sorry, but you regard paper as a valid computer defense. Who cares if
they have a piece of paper attached? The question is not who has the paper
trail, but who has the security.
>>
>> NAT Routers have no certification (at least in the class we're talking
>> about) and have been shown, many times, to have exploits that allow
>> Unsolicited inbound traffic to pass through - even with no rules set by
>> the owner.
As have firewalls as times.
jamesh...@yahoo.co.uk
> <jameshanle...@yahoo.co.uk> wrote in message
<snip>
>
> > That page does talk of a firewall as sitting between 2 networks.
> > perhaps, as oppose to an individual computer from a network.
>
> To keep it simplistic for you, the Internet is a massive/giant network the
> Wide Area Network being protected from by the firewall. The network being
> protected by the FW is the Local Area Network.
>
What is the complicated way then?
note- a firewall blocking certain outgoing can help protect other
people on the internet from a compromised machine. Leythos is keen on
blocking certain outgoing so he`d probably know of some examples.
> > It does not mention about if a concept may be flawed.. like running a
> > software firewall on a non dedicated machine.
>
> Your concept of a FW is flawed. A FW must separate two networks. The network
> it is protecting from, and the network it is protecting. A FW must have at
> least two network interfaces. One interface must face the WAN, and the other
> interface must face the LAN. In the case of a software FW running on a
> secured host computer, the computer must have two NIC(s) with one facing the
> WAN and the other one facing the LAN.
>
> If a software solution is not using two NIC(s), it's not a FW, but rather,
> it's a machine level packet filter protecting at the machine level.-
makes sense, thanks.
Leythos
@w73g2000hsf.googlegroups.com>, jamesh...@yahoo.co.uk says...
> Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.
SMTP, SQL Command, Windows File Sharing, IM......
I don't allow outbound SMTP from workstations ever.
I don't allow outbound SQL Command from anything, ever.
Windows File Sharing, DNS, etc... never from the local workstations..
IM - only from approved workstations....
While DNS is not a easy exploit the others permit LAN machines to spread
malware to people on the net with exposed machines.
Arnold@arnold.com Mr. Arnold
<jamesh...@yahoo.co.uk> wrote in message
news:aaf5ac3a-9b60-451a...@w73g2000hsf.googlegroups.com...
> On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> <jameshanle...@yahoo.co.uk> wrote in message
> <snip>
>>
>> > That page does talk of a firewall as sitting between 2 networks.
>> > perhaps, as oppose to an individual computer from a network.
>>
>> To keep it simplistic for you, the Internet is a massive/giant network
>> the
>> Wide Area Network being protected from by the firewall. The network being
>> protected by the FW is the Local Area Network.
>>
>
> What is the complicated way then?
>
> note- a firewall blocking certain outgoing can help protect other
> people on the internet from a compromised machine. Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.
The proper thing would be to block all outbound traffic, and only allow
outbound traffic for those applications or services that need outbound
traffic. That would mostly apply to a solution such as a FW appliance,
packet filtering FW router or a software FW running on a secured gateway
computer that could implement the solution poperly by creating packet
filtering rules.
>
>
>> > It does not mention about if a concept may be flawed.. like running a
>> > software firewall on a non dedicated machine.
>>
>> Your concept of a FW is flawed. A FW must separate two networks. The
>> network
>> it is protecting from, and the network it is protecting. A FW must have
>> at
>> least two network interfaces. One interface must face the WAN, and the
>> other
>> interface must face the LAN. In the case of a software FW running on a
>> secured host computer, the computer must have two NIC(s) with one facing
>> the
>> WAN and the other one facing the LAN.
>>
>> If a software solution is not using two NIC(s), it's not a FW, but
>> rather,
>> it's a machine level packet filter protecting at the machine level.-
>
> makes sense, thanks.
When segmenting networks, a FW limits the damage that can be spread from one
network to another network, like a firedoor or firewall.
>
>
jamesh...@yahoo.co.uk
> In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
>
> > Leythos is keen on
> > blocking certain outgoing so he`d probably know of some examples.
>
> SMTP, SQL Command, Windows File Sharing, IM......
>
> I don't allow outbound SMTP from workstations ever.
>
> I don't allow outbound SQL Command from anything, ever.
>
> Windows File Sharing, DNS, etc... never from the local workstations..
>
> IM - only from approved workstations....
>
> While DNS is not a easy exploit the others permit LAN machines to spread
> malware to people on the net with exposed machines.
>
if you block SMTP. Can users only send email via Yahoo like websites?
I guess you don`t block some SMTP and not others, since how would you
distinguish between good and bad. They could(knowingly or not) be bad
and use your SMTP server You`d have to block all.. Do you have
no SMTP server ?
I know one company that has an SMTP server and does not allow Yahoo.
That way they can more easily see all the email that goes in and out.
jamesh...@yahoo.co.uk
> <jameshanle...@yahoo.co.uk> wrote in message
>
> news:aaf5ac3a-9b60-451a...@w73g2000hsf.googlegroups.com...
>
>
>
>
>
> > On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
> >> <jameshanle...@yahoo.co.uk> wrote in message
> > <snip>
>
> >> > That page does talk of a firewall as sitting between 2 networks.
> >> > perhaps, as oppose to an individual computer from a network.
>
> >> To keep it simplistic for you, the Internet is a massive/giant network
> >> the
> >> Wide Area Network being protected from by the firewall. The network being
> >> protected by the FW is the Local Area Network.
>
> > What is the complicated way then?
>
> > note- a firewall blocking certain outgoing can help protect other
> > people on the internet from a compromised machine. Leythos is keen on
> > blocking certain outgoing so he`d probably know of some examples.
>
> The proper thing would be to block all outbound traffic, and only allow
> outbound traffic for
well, if you are a techie user on the network of [mostly] idiot users,
then you may not appreciate that.
> those applications or services that need outbound
> traffic. That would mostly apply to a solution such as a FW appliance,
> packet filtering FW router or a software FW running on a secured gateway
> computer that could implement the solution poperly by creating packet
> filtering rules.
>
I wouldn`t say "properly"..
With a network firewall, you cannot see directly, which application
sent the packet or established a connection. But you can block packets
based on criteria that that application may use. like tcp port and app
layer protocol. .It is not literally blocking application blah
though. The techie world does [or have produced software or
techniques to] evade this sort of thing and get through the firewall.
With a software firewall on each machine - an example you did not
mention for obvious reasons - one app could pretend to be another.
That firewallleaktest site prob has examples. But at least with that
you can identify what application sent the packet, if it is not being
evasive or malicious.
And as far as I know, the regular techie world has not come up with a
way to evade that one! I see malware doing it all the time. But
techies are not running commands to let one application pretend to be
another.. I guess it is because the need has not arisen. Companies do
not - and with good reason - run a PFW on each machine! I don`t know
if a techie software firewall like perhaps winipfw, or, I don`t know
if it is a software firewall, but this ipsec thing you mention
sometimes (is it a fw?), can see the application that sent the packet.
<snip>
Leythos
@v4g2000hsf.googlegroups.com>, jamesh...@yahoo.co.uk says...
> On Nov 18, 11:54 pm, Leythos <v...@nowhere.lan> wrote:
> > In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
> > @w73g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
> >
> > > Leythos is keen on
> > > blocking certain outgoing so he`d probably know of some examples.
> >
> > SMTP, SQL Command, Windows File Sharing, IM......
> >
> > I don't allow outbound SMTP from workstations ever.
> >
> > I don't allow outbound SQL Command from anything, ever.
> >
> > Windows File Sharing, DNS, etc... never from the local workstations..
> >
> > IM - only from approved workstations....
> >
> > While DNS is not a easy exploit the others permit LAN machines to spread
> > malware to people on the net with exposed machines.
> >
>
>
> if you block SMTP. Can users only send email via Yahoo like websites?
> I guess you don`t block some SMTP and not others, since how would you
> distinguish between good and bad. They could(knowingly or not) be bad
> and use your SMTP server You`d have to block all.. Do you have
> no SMTP server ?
Yahoo? Who uses Yahoo?
If you don't have your own email server in your network then you can
limit your SMTP outbound to just the IP of your ISP's SMTP server - this
will cause most SMTP bots to be limited to just the SMTP service of your
ISP and they will contact you shortly after you are compromised.
And yes, we block all SMTP Outbound from Workstations/Devices, Except
for our own SMTP server - if you're not using our SMTP server then
you're not using SMTP.
> I know one company that has an SMTP server and does not allow Yahoo.
> That way they can more easily see all the email that goes in and out.
None of the companies we setup allow IM, Yahoo, MSN, etc... The only
SMTP they allow is from their own email server, and there are a lot of
other things too.
The Pharmacies don't allow ANY outbound except to Business Partner sites
- so that means no HTTPS or HTTP except to approved sites.
jamesh...@yahoo.co.uk
> In article <533b5129-d008-4dd3-ac15-33ab1c6c5c11
> @v4g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
the SMTP server that malicious programs are most likely to access
when on your network, is your SMTP server. Since most SMTP servers are
not "open relays".
<snip>
Arnold@arnold.com Mr. Arnold
<jamesh...@yahoo.co.uk> wrote in message
news:c74699fe-6733-4a46...@a28g2000hsc.googlegroups.com...
It's not the job of a FW to be blocking applications. A persoanl FW/packet
filter is not a FW. The job of a FW is to stop inbound and outbound packets
coming from the network it is protecting against, and also and leaving the
network if rules have been set to stop outbound packets. A FW sits at tje
juction point between two networks.
>
> With a software firewall on each machine - an example you did not
> mention for obvious reasons - one app could pretend to be another.
> That firewallleaktest site prob has examples. But at least with that
> you can identify what application sent the packet, if it is not being
> evasive or malicious.
If the machine has been compromised, then there is nothing running on the
machine that can stop it, other than, the O/S if it has the means to do so.
So you stop something with a PFW. But what about the boot a login process
that the malware can beat the PFW to the connection and get out, because the
PFW is not an integrated part of the O/S that O/S is going to make other
services wait until the FW is up and running. And besides that, malware can
fool the packet filter with app. control running with the O/S, like it can
fool the O/S with both of them running with the O/S.
And most users flat-out do not know what is legit or non-legit traffic in a
typical situation when they are being asked the questions.
> And as far as I know, the regular techie world has not come up with a
> way to evade that one! I see malware doing it all the time. But
> techies are not running commands to let one application pretend to be
> another.. I guess it is because the need has not arisen. Companies do
> not - and with good reason - run a PFW on each machine! I don`t know
> if a techie software firewall like perhaps winipfw, or, I don`t know
> if it is a software firewall, but this ipsec thing you mention
> sometimes (is it a fw?), can see the application that sent the packet.
>
Like I said, if the solution is not using two NIC(s), it's not a FW solution
and is just a packet filter.
Leythos
@f13g2000hsa.googlegroups.com>, jamesh...@yahoo.co.uk says...
You seem to think that only an smpt server uses SMTP - but the only
compromised SMTP servers I've seen in years were workstations/laptops
where the idiot had compromised their workstation is a malware that
installs its own SMTP engine - the laptop becomes a SMTP server sending
out hundreds of emails with the infection included per minute. The
malware, in every case, didn't attempt to use the internal SMTP server,
it had it's own built into it.
There are many threats, I look for more than just the common ones.
jamesh...@yahoo.co.uk
I too have seen what I think you describe. users running as
administrator get compromised their windows firewall is taken down and
they end up with an smtp server and others connecting(incoming) or
trying to connect. I think mostly they are saved by their NAT router.
That is a common one!!
They are screwed if they run a Bridge or half bridge thing. Where
there is no NAT. Like some USB dsl modems and perhaps PCI DSL modems.
Typically with those things the PPP is done by windows. ipconfig
displays their public ip. Malicious people connect successfully , spam
gets sent out from the user`s computer and user gets a threatening
email from their ISP to get rid of it or else.
But, we were talking of blocking outgoing, and thus outgoing smtp.
Leythos
@yahoo.co.uk says...
That's NOT what I'm saying - I'm saying that users, on a LAN, behind a
NAT router with no forwarding enabled, using loaded an application that
was malware and it contained a SMTP service that was sending hundreds of
emails per minute. It was not allowing external connections, it was not
being connected to from the net, it was it's own SMTP service spewing
emails out to domains - the Windows firewall would not an could not stop
this.
> They are screwed if they run a Bridge or half bridge thing. Where
> there is no NAT. Like some USB dsl modems and perhaps PCI DSL modems.
> Typically with those things the PPP is done by windows. ipconfig
> displays their public ip. Malicious people connect successfully , spam
> gets sent out from the user`s computer and user gets a threatening
> email from their ISP to get rid of it or else.
>
> But, we were talking of blocking outgoing, and thus outgoing smtp.
Yes, we are, and in this case, you've mistaken what I've said/shown,
where a blocking of SMTP outbound from the LAN by the workstations, or
where SMTP would be limited to the ISP's SMTP server, would block the
spreading of the malware in question.
goarilla
> "jamesh...@yahoo.co.uk" <jamesh...@yahoo.co.uk> writes:
>
>> On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
>>> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
>>> says...
>>>
>>>
>>>
>>>> Yes, agreed. But that is irrelevant. The question is not whether or not a
>>>> firewall is more flexible than a NAT router, it is. The question is whether
>>>> there is a difference in security against unsolicited outside attacks
>>>> between a firewall which blocks all unsolicited outside connections, and a
>>>> NAT router with no port holes punched through (Ie no ports forwarded).
>>> Yes, there is a difference.
>>>
>>> All quality firewalls have certifications from independent authorities
>>> that will state how they work and that they are actually providing xyz.
>
> I am sorry, but you regard paper as a valid computer defense. Who cares if
> they have a piece of paper attached? The question is not who has the paper
> trail, but who has the security.
>
True but one of the things this also shows is that it has been ( thoroughly)
peer-reviewed by ( experts).I have my doubts as well since there is a lot of
potential for fraud in this space.
I like to think of it as the commercial variant to opensource software.
eg with many eyes bugs are shallow.
Hexalon
> On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
>
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> > maniaqu...@gmail.com says...
>
> > A NAT is not a firewall at all, it's basic routing - Most non-technical
> > types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections. Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G) - when do
> you decide what is and what is not a ffirewall? I really would like to
> know, it's something that's puzled me for years. Some things are
> clearly not a firewall at all, like a "Full-cone" NAT router. Some
> things are clearly a firewall first, and anything else after, like one
> of those Cisco devices. But aren't most home routers somewhere in-
> between?
>
A true Firewall is a packet and port filter and is able to filter in
both directions. Basically a firewall regulates the flow of traffic
between 2 or more computer networks.
>
> > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> > inbound traffic, that's all.
>
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)
>
> Additional Filters
> Filter Proxy Filter Cookies
> Filter Java Applets Filter ActiveX
> Block Portscans Filter P2P Applications
> Block WAN Requests
> Block Anonymous Internet Requests
> Filter Multicast
> Filter Internet NAT Redirection
> Filter IDENT(Port 113)
>
It is still not a TRUE firewall because it can't filter by port.
>
> > No, port forwarding is what your problem is - if you forward ports then
> > you expose your computer/network and that's how people reach your
> > computer to do things you don't want.
>
> Only if they get past the intended security of the service in
> question, right?
>
Port forwarding is used to allow unsolicited inbound traffic to pass
through to a server listening on a certain port. Port forwarding only
forwards traffic on the specified port. So if you hosting email then
you would enable port forwarding on port 25.
>
> > You should learn to post in one group or to cross post so that your
> > thread is easy to work with for multiple groups that you've done this
> > in.
>
> Yep, thanks.
>
> Tao
Hope that is helpful,
Hex