firewall test and NAT
ToddAndMargo
I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?
Many thanks,
-T
John John - MVP
NAT would be pretty useless if anything could just "shoot" through it.
Open (forward) a port in the box or temporarily disable/bypass the NAT
box for your tests.
John
ToddAndMargo
Hi John,
The bad guys know all about NAT. And it is indeed useless
as a firewall.
The bad guys start with 192.168.0.0/24 and work their way
up. Check your firewall logs, you will see SYN packet probes
on it all the time: about 1/100 if you did not use NAT, but
still enough to do damage. NAT is *not* a firewall -- it is
a common misconception.
I was hoping to way to test it without redoing anything
on my network.
-T
John John - MVP
I'm by no means any kind of expert on this but my understanding about
NAT is that it will only allow traffic in if the request for the packets
originated from within. You say that you have a "NAT box" I assume that
to be a router of sorts, check the documentation for your router.
John
ToddAndMargo
Hi John,
It is a router.
The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)
NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.
NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.
-T
John John - MVP
I don't think that is how it works. My router stops SYN floods and
operates in stealth mode, you could be "knocking" all you want but you
ain't gonna come in!
John
ToddAndMargo
Hi John,
The is a good feature to have. But, is not NAT. It is an
additional feature. I was specifically referring only to NAT.
What scares me is people with $15.00 routers with NAT thinking
it is a real firewall.
-T
John John - MVP
I think that your assessment of how easily NAT can be broken is
overblown, consider this, if your firewall tests can't make it through
your NAT box it isn't as flimsy as you make it out to be! If anyone is
that worried they can put their private IP address in the Class A range
and give the hackers a "few" more doors to knock on. But I do have to
agree with you that you get what you pay for and that a $15 router may
not be the best thing to have between your network and the internet!
John
ToddAndMargo
> I think that your assessment of how easily NAT can be broken is
> overblown, consider this, if your firewall tests can't make it through
> your NAT box it isn't as flimsy as you make it out to be!
You are missing the point. The firewall test sites that don't shoot
through NAT do not tag the secondary off internet address on to
their attack packets. In those tests, everything comes back perfect
because they are being rejected by the router.
Now if the test site took your secondary off Internet address from
your initial SYN packet to log into their site and probed you, the
router would pass their probes right through.
> If anyone is
> that worried they can put their private IP address in the Class A range
> and give the hackers a "few" more doors to knock on. But I do have to
> agree with you that you get what you pay for and that a $15 router may
> not be the best thing to have between your network and the internet!
>
> John
Best Buy is ready and waiting for the $15.00 crowd: their Geek Squid
will happily wipe your hard drive clean and reinstall windows for you!
ToddAndMargo
Squid was a typo. :-)
He who pays the least, pays the most
Leythos
ToddAn...@invalid.com says...
LOL, NAT doesn't have things "Shoot Through" it, that would break NAT.
If you want to test, most of those cheap, crappy, NAT routers have a
fake DMZ IP address, just map the DMZ to the same IP as your computer.
The DMZ IP gets all traffic that you have not created rules for, in most
NAT routers.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Leythos
windows.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rohio.com (remove 999 for proper email address)
"Leythos" <spam9...@rrohio.com> wrote in message
news:004bdcc4$0$14705$c3e...@news.astraweb.com...
Leythos
says...
>
> Forget my last post I was wrong, you need to format your hd and reinstall
> windows.
The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
Leythos
> windows.
The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
Leythos
> windows.
The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
Leythos
says...
> Path: news.astraweb.com!border1.newsrouter.astraweb.com!npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
> From: "Leythos" <spam99...@rrohio.com>
> Newsgroups: microsoft.public.windowsxp.general
> References: <#2gS5#zzJHA...@TK2MSFTNGP04.phx.gbl> <004bdcc4$0$14705$c3e...@news.astraweb.com> <7gJMl.25461$BZ3....@newsfe12.iad>
> In-Reply-To: <7gJMl.25461$BZ3....@newsfe12.iad>
> Subject: Re: firewall test and NAT- Another Impersonation by Butts
> Lines: 20
> MIME-Version: 1.0
> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
> X-Antivirus-Status: Clean
> Message-ID: <35KMl.23466$Rf7....@newsfe21.iad>
> X-Complaints-To: ab...@teranews.com
> NNTP-Posting-Date: Thu, 07 May 2009 23:24:47 UTC
> Organization: TeraNews.com
> Date: Thu, 7 May 2009 16:24:41 -0700
>
> In article <7gJMl.25461$BZ3....@newsfe12.iad>, spam99...@rrohio.com
> says...
> >
> > Forget my last post I was wrong, you need to format your hd and reinstall
> > windows.
>
>
> The above post was not by Leythos, it was a faked post and shows the
> lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
>
And the headers prove another impersonation by the resident unethical
hack.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Leythos
says...
> Path: news.astraweb.com!border2.newsrouter.astraweb.com!indigo.octanews.net!news-out.octanews.net!teal.octanews.net!nx01.iad01.newshosting.com!newshosting.com!69.16.185.16.MISMATCH!npeer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
> From: "Leythos" <spam99...@rrohio.com>
> Newsgroups: microsoft.public.windowsxp.general
> References: <#2gS5#zzJHA...@TK2MSFTNGP04.phx.gbl> <004bdcc4$0$14705$c3e...@news.astraweb.com> <7gJMl.25461$BZ3....@newsfe12.iad>
> In-Reply-To: <7gJMl.25461$BZ3....@newsfe12.iad>
> Subject: Re: firewall test and NAT- Another Impersonation by Butts
> MIME-Version: 1.0
> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
> X-Antivirus-Status: Clean
> X-Complaints-To: ab...@teranews.com
> NNTP-Posting-Date: Thu, 07 May 2009 23:26:11 UTC
> Organization: TeraNews.com
> Date: Thu, 7 May 2009 16:26:09 -0700
>
> In article <7gJMl.25461$BZ3....@newsfe12.iad>, spam99...@rrohio.com
> says...
> >
> > Forget my last post I was wrong, you need to format your hd and reinstall
> > windows.
>
> The above post was not by Leythos, it was a faked post and shows the
> lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
>
And the headers prove another impersonation by the resident unethical
hack.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Brian A.
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>
> NAT does not stop incoming requests called SYN (TCP) or
> state "New" (TCP or UDP). It only stops traffic not
> properly addressed to your internal network. Enough
> guessing and the bad guys will find you.
If that were to be true, every network in the universe would be no more,
Port probes are being performed 24/7 and have been for years.
The Client sends a SYN to the Server requesting a connection.
The Server sends back a SYN-ACK to the Client acknowledging the request.
The Client responds with an ACK and the connection is completed.
Port probes are looking for any open Port, and if they don't find one, they
move on to the next possible victim without ever responding with an ACK to
the Server. Without an ACK response from the Client, the Server will wait X
amount of time before sending another SYN-ACK, then again, and again, etc.
until it reaches it's max set of times to send. It's when a Sever is
overwhelmed with these Half-Open connections that it becomes a real issue.
--
Brian A. Sesko
Conflicts start where information lacks.
http://basconotw.mvps.org/
Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375
Bruce Chambers
Assuming one is silly enough to leave that NAT router set to factory
defaults.....
--
Bruce Chambers
Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/default.aspx/kb/555375
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin
Many people would rather die than think; in fact, most do. ~Bertrand Russell
The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
ToddAndMargo
> <snip>
>> The trouble with NAT is that the bad guys just slap their
>> guess as to what your internal off Internet address on
>> to their probe. They find you very quickly if your internal
>> off Internet address is 192.168.0.xxx. (Recommendation:
>> pick an internal address other than 192.168.0.0/24 or
>> 192.168.1.0/24.)
>>
>> NAT does not stop incoming requests called SYN (TCP) or
>> state "New" (TCP or UDP). It only stops traffic not
>> properly addressed to your internal network. Enough
>> guessing and the bad guys will find you.
>
> If that were to be true, every network in the universe would be no
> more, Port probes are being performed 24/7 and have been for years.
>
> The Client sends a SYN to the Server requesting a connection.
> The Server sends back a SYN-ACK to the Client acknowledging the request.
> The Client responds with an ACK and the connection is completed.
>
> Port probes are looking for any open Port, and if they don't find one,
> they move on to the next possible victim without ever responding with an
> ACK to the Server. Without an ACK response from the Client, the Server
> will wait X amount of time before sending another SYN-ACK, then again,
> and again, etc. until it reaches it's max set of times to send. It's
> when a Sever is overwhelmed with these Half-Open connections that it
> becomes a real issue.
>
Hi Brian,
You are correct. You are missing that the probe can include an
internal address as well as the required external address.
An unsuccessful sample attack on my machine for you:
kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Translation:
SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
RST is a virtual machine (192.168.1.46) on my second Ethernet
port that has not run for over three weeks (currently off)
SYN is a SYN packet
The probe got right through my NAT router (and got stopped by my
software firewall). NAT is a good idea in a lot of ways.
And it does stop tons of state=new packets. But, as I have
shown, you can poke through it. It takes a lot more skill,
so it does cut way down on the bad guys attempt to probe
you. But it does not stop all unsolicited state=new probes.
This is why I am tell everyone that doubts me that
*NAT is not a firewall*.
-T
John John - MVP
From where was the probe launched?
John
John John - MVP
Let's forget the *NAT is not a firewall* business, this is not a
disputed point, we know that NAT is not a firewall but by its nature it
has firewall like qualities.
What we don't buy is your assertion that NAT is flimsy to the point
where it can be broken by the most simple scanning techniques, that
almost anything can just easily shoot through it. Many years ago when
NAT was designed the network engineers who put it together would have
had to have security in mind, they would have known about network
intrusions. These engineers knew that their design had to be robust
enough to keep the bad guys out, willingly or unwillingly it had to be
part of the design. If what you say is true NAT would not have made it
past the starting gate, the engineers would have presented their new
"baby" to the world and in less than 24 hours it would have been
completely hacked and the project would have fallen apart! There is
*absolutely* no way that NAT would have become accepted if it could have
been so easily broken, no one today would be using it, certainly
Microsoft's Internet Connection Sharing (ICS) would have never seen
daylight. Like Brian said, "probes are being performed 24/7 and have
been for years". If you log intrusion attempts the router log will
probably fill up rather quickly. Instead of logging at the router
perhaps you should use a third party firewall or a tool like Wireshark
and log on your computer on the inside of the NAT device and see what is
actually making it past the router to your computer.
I think that the point that you are leaving out of the picture is that
NAT only allows *solicited* traffic past the gate. It sort of works
like this:
"John John" sends a message to "ToddAndMargo", NAT forwards the message
and remembers this, it "waits" for a reply from ToddAndMargo and when
the reply arrives from ToddAndMargo NAT sends it to John John. While
NAT waits for solicited replies "TomDick&Harry" come by trying to send a
message to John John and NAT says: "John John didn't ask for anything
from "any Tom, Dick and Harry", NAT tells them to get lost and drops the
message, the unsolicited packets never make it any further than this.
Whether or not "any Tom, Dick and Harry" know that John John is home is
almost completely irrelevant, what matters is whether or not John John
invited them in, that invitation is next to impossible to fake!
NAT works like this:
*Outgoing Packet at the NAT*
The NAT will intercept this outgoing packet and create a port mapping
using the destination IP address (server), destination port, external IP
address of the NAT, external port, network protocol, and the internal IP
address and port from the client.
The NAT will maintain a table of these mappings, storing this port
mapping in the table. The external IP address and port are the public IP
address and port to be used by for this data traffic in place of the
internal client's IP address and port.
The NAT then "translates" the packet by swapping the source fields of
the packet from the private, internal IP address and port of the client
to the public, external IP address and port of the NAT.
The packet is then sent on the external network (the Internet) to
eventually reach the intended server.
*Incoming Packet at the NAT*
The NAT receives these packets from the server and compares them to its
table of port mappings. If the NAT finds a port mapping where the source
IP address, source port, destination port, and network protocol of the
incoming packet match the remote host IP address, remote port, external
port, and network protocol of the port mapping, the NAT will perform a
reverse translation. The NAT replaces the external IP address and
external port in the destination fields of the packet with the client�s
private IP address and internal port. This is an example of solicited
incoming traffic. The NAT silently discards unsolicited incoming traffic
that does not match a port mapping.
The NAT then sends the packet on the internal network to the client.
Overview of Network Address Translation (NAT) in Windows XP
http://technet.microsoft.com/en-us/library/bb457077.aspx
You are leaving out the part about port mappings, router tables and
*unsolicited* requests from your intrusion scenario. Of course without
these NAT would be next to completely useless, such a flimsy and
completely insecure setup could never be exposed to the internet, you
would have to place a firewall between it and the internet. But NAT is
not designed in such a flimsy manner.
Of course this brings a catch 22 or a chicken or the egg kind of
dilemma. If NAT only allows solicited requests how can anything move
about, somewhere along the line someone has to accept an unsolicited
request. That is what your ISP does with its servers and expensive
border routers, these systems are designed to accept unsolicited
requests, they use different methods to keep the unwanted out, your ISP
may require you to logon to a server or it may only accept unsolicited
requests from known IP or MAC addresses. Without expensive border
routers and elaborate security setups anyone else has to punch holes in
NAT to allow it to pass unsolicited requests, you have to open ports in
the router. If your router is properly secured outsiders cannot open
ports or punch holes in it. And for your simple probes to make it
through masqueraded as solicited traffic they would have to actually
break in to the router and hack the mapping tables! The only other way
that I can think that one may make it in under the guise of solicited
traffic would be by way of a "Man in the middle" attack, not such an
easy thing to to. Much easier to send in malware and have it open holes
from the inside for you.
John
ToddAndMargo
Hi John,
You made me do a lot of research to double check myself. For
an online firewall check to shoot through NAT would require
a full out spoof attach. Not something a free firewall checking
service would consider doing.
NAT makes it very, very hard to break through, but not impossible.
Here is a good articles on NAT vulnerabilities:
http://www.velocityreviews.com/forums/t201835-nat-router-being-hacked-.html
http://whirlpool.net.au/wiki/?tag=DSL_modemS02_04
I am also somewhat embarrassed as to not taking my own recommendations
as to not using 192.168.0.0/24, which I will change shortly.
What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.
The reason I am suspicious of the NAT only router is the machines
that seem to get tagged are usually just sitting there not being used.
Not being used, as the users are afraid to use them -- threats
from the management and all. They are suppose to file a single
report once a day on the Internet. Otherwise, they just sit there.
(Sit there collecting v1ruses.)
I was looking for a way to show him he needed to upgrade to
a real firewall. I have been told that the SonicWALL TZ180 is
good. Any thoughts?
-T
Leythos
ToddAn...@invalid.com says...
> What triggered my question is a customer who relies on NAT (only,
> no firewall), and he is constantly getting tagged with one
> v1rus or another. I am trying to get him off IE, get a
> standardized decient antivirus, software firewall, and a *real*
> firewall.
>
NAT has nothing to do with him getting malware on his system.
With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.
If you want to secure a business, since they will never do the right
thing, at least with all my years of dealing with businesses....
Install a firewall that allows content filtering - block EXE, DLL,
etc... from all connections except the Server or a IT Admin's
workstation. You also AV/content filter SMTP, FTP, HTTP, HTTPS sessions
and you block all IN/OUT connections that are not explicitly needed for
business (which should be the standard for any firewall solution)
Install a managed, corporate type AV solution - like Symantec End Point
Protection - don't give users control of the settings or the ability to
disable it on their workstations.
Install IE settings via Group Policy that the users can't change...
Make all computer users LOCAL USERS, NOT Local Admins....
IE works fine, just make all updates automatic install.
With the above ideas and a little more, I've managed to secure networks
all over the USA and not had a single managed network compromised in my
entire history.
Twayne
You appear to be looking for an arguement here. First of all, if your
router is half-fast working, they'll never get a connect to you to even
see your internal IP.
I believe it was you intimated NAT was a firewall; so you reap what you
posted when people try to help you with your own words and apparent
understanding. There's a LOT more to it than NAT, and properly used, it
does do a pretty decent job of keeping drive-bys from ever even
realizing you're sitting there. I think you need to do a little more
research. Either that or you already know that you want to see as an
answer and want to insist on it.
Either way, you're wating ether IMO. Mental plonk imposed.
Twayne
"stupid" in your second para, otherwise it's spot on IMO.
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security. There are so many different
things for them to learn, even as they start to pick up on security,
they often go right on inviting the malware in. The anonymity of the
'net sucks.
Twayne
Leythos
nob...@devnull.spamcop.net says...
> The reason I say ignorant is the main targets of the
> spammer/scammer/social scoundrels often hook the newbie and
> inexperienced who haven't yet encountered the problems or had anyone to
> lead them to the right areas for Security.
>
I disagree. I had a clients wife get an email from her "Bank" talking
about doing a security update and needing her to send them her
user/password and SSN to verify it. This person had been warned many
times, they had also been sent emails multiple times about these things,
they had even seen them in the past and then commented on them (from
other banks).... The news media even did an article on this same type of
threat a month before, it was one several channels and even in the news
paper.
We've all, and I mean everyone, know that this is a threat and common
method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
falling for it.
Twayne
> In article <OjlIBgC0...@TK2MSFTNGP03.phx.gbl>,
> nob...@devnull.spamcop.net says...
>> The reason I say ignorant is the main targets of the
>> spammer/scammer/social scoundrels often hook the newbie and
>> inexperienced who haven't yet encountered the problems or had anyone
>> to lead them to the right areas for Security.
>>
>
> I disagree. I had a clients wife get an email from her "Bank" talking
> about doing a security update and needing her to send them her
> user/password and SSN to verify it. This person had been warned many
> times, they had also been sent emails multiple times about these
> things, they had even seen them in the past and then commented on
> them (from other banks).... The news media even did an article on
> this same type of threat a month before, it was one several channels
> and even in the news paper.
>
> We've all, and I mean everyone, know that this is a threat and common
> method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
> falling for it.
Hoo boy! Hard to argue with that, and in retrospect, I've come across
it myself just not to that extreme. That I know of anyway. Hope they
didn't lose their asses over it.
I do think however that it still fits the mold of the inexperienced,
although I can agree to disagree on that point. Hopefully she didn't
lose too much but got enough of a scare to remember it for next time!
But I certainly can't dispute the "stupid" part either.
Regards,
Twayne
Leythos
nob...@devnull.spamcop.net says...
She was lucky, I had just sent an email to clients about the increase in
FAKE BANK spam we were seeing and her Husband sent it home to her. She
called me and I had her call the Banks - they had already put a hold on
all of her accounts because of "suspicious" activity - she actually
provided them with her complete identity and account access. We sent the
information (complaint and email + headers) to the state's ATTY General
as well as the FBI. An interesting note: I traced the website and email
to a hacked server in Italy that was still online at the time.
Twayne
"Leythos" <spam9...@rrohio.com> wrote in message
news:004a8755$0$24257$c3e...@news.astraweb.com...
Leythos
nob...@devnull.spamcop.net says...
> So tell me, why do you love pcbutts
>
Do you really think it's a place to discuss that? This is a XP group and
should be limited to discussions about XP and solutions presented for
problems related to XP.
Brian A.
And what makes you think that's a probe instead of a real request? You
mention the DST is a VM, how is that connected to physical port on the
router? Being that it is a VM, what security measures are in place for it?
Being a VM does not make it secure. What is the VM used for, any type of
server or service?
John John - MVP
> What triggered my question is a customer who relies on NAT (only,
> no firewall), and he is constantly getting tagged with one
> v1rus or another. I am trying to get him off IE, get a
> standardized decient antivirus, software firewall, and a *real*
> firewall.
>
> The reason I am suspicious of the NAT only router is the machines
> that seem to get tagged are usually just sitting there not being used.
> Not being used, as the users are afraid to use them -- threats
> from the management and all. They are suppose to file a single
> report once a day on the Internet. Otherwise, they just sit there.
> (Sit there collecting v1ruses.)
>
> I was looking for a way to show him he needed to upgrade to
> a real firewall. I have been told that the SonicWALL TZ180 is
> good. Any thoughts?
SonicWALL has a very good reputation, they are amongst the few that that
make reasonably affordable business class routers. But I can't give any
recommendations on any particular model because I don't have any
experience with their products and, more importantly, I don't know the
topology of the network where the product is meant to be installed.
Furthermore, you should listen to what Leythos told you, the virus
problems almost certainly have nothing to do with NAT or the router
being used! Installing a new router will not resolve any virus problems
that is going around on the internal LAN.
John
Twayne
> In article <Kc6Nl.22445$9J5....@newsfe13.iad>,
> nob...@devnull.spamcop.net says...
>> So tell me, why do you love pcbutts
>>
>
> Do you really think it's a place to discuss that? This is a XP group
> and should be limited to discussions about XP and solutions presented
> for problems related to XP.
No, I do not. That's the imposter at work; not me.
Twayne`
Leythos
nob...@devnull.spamcop.net says...
Sorry, you're right, I failed to check the headers to verify it was you
before I hit send in my reply.
ToddAndMargo
> Furthermore, you should listen to what Leythos told you, the virus
> problems almost certainly have nothing to do with NAT or the router
> being used! Installing a new router will not resolve any virus problems
> that is going around on the internal LAN.
>
> John
Oh I certainly am. A real firewall is only one of several parts I
want to implement. I think I said what they are in a previous post.
My only disagreement with Leythos was the stupid comment. All you
have to do is "visit" an compromised web site with Internet Explorer
and you are infected. The users has no control over it, except
stop using IE.
Thank you for the tip on Sonic Wall. I appreciate your input.
These guys with their 127.0.0.1 for compromised site goes
as long way to protecting you too:
http://www.mvps.org/winhelp2002/hosts.htm
-T
ToddAndMargo
Hi Brian,
Looking over that report, it is not a good example. It is my idiot
Verizon DSL modem probing my port 80 looking to see if I am running
a web page.
Searching through my logs, I have not found on this week. But
trust me, they are there. I have even hear Kim Komando say
she sees them occasionally on her firewall logs. I believe they
are spoofed packets.
Host: Cent OS 5.3
Guests: XP-Pro-SP3, Vista, W7rc, Kubuntu, LiveCD/Bart test
I am a busy guy. Interesting when you see/use several
OS's how the religious extremism melts away. They all
have their strengths and weaknesses. They only one
I really don't like is Vista. But, the good news is that
w7 really, really cleaned Vista up (except for XP program
compatibility, but they are working an an "XP" box).
-T
Shenan Stanley
Read the entire conversation:
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snip>
> With all of the issues that have been in the media, anyone getting
> malware has just got to be stupid, at least for the most part.
<snip>
<snipped>
ToddAndMargo wrote:
<snip>
> My only disagreement with Leythos was the stupid comment. All you
> have to do is "visit" an compromised web site with Internet Explorer
> and you are infected. The users has no control over it, except
> stop using IE.
<snip>
Seriously?
I am surprised (given your other comments) you can say something like, "The
users has no control over it, except stop using IE." Not all problems
center around Microsoft created anything. You can (and people do) get
infested/infected using all sorts of different browsers. ;-)
I do disagree with the Leythos quote (above - although I haven't checked to
confirm it was actually Leythos who posted it) in that people can be
intelligent and even careful and still get infested/infected; but for you to
say that the users have no control over such things except to stop using
Internet Explorer - that does show some level of at least self-inflicted
blindness on your part.
I personally use Firefox and Internet Explorer just about evenly. I use IE7
for the most part but have 'upgraded' to IE8 on several machines. In many
ways - some of the features others may find useful, I find a bit annoying -
but I am sure I will get used to them and even probably miss them eventually
on non-'upgraded' machines.
For the most part - users of the machines I help manage utilize IE7. They
have the option (always have) of using Firefox - but some (could because of
limitations of web pages and plugins they have to use) don't use it at all
and others only click on it infrequently (sometimes I think out of curiosity
or strange accident.) There are some that use it a lot, excluding when they
need to use the certain pages I alluded to.
*None* have become infected/infested. They've had scares (in both cases) -
but thanks to the setup (which consists mainly of them being 'user-level'
and protected by AV/AS with the built-in firewall enabled and most behind a
drawbridge firewall - the latter two of which has little effect in this
discussion of spyware/adware infection via web pages) they have not been
infested/infected in the years I have been around and helping to manage
them.
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
ToddAndMargo
>
> Leythos wrote:
> <snip>
>> With all of the issues that have been in the media, anyone getting
>> malware has just got to be stupid, at least for the most part.
> <snip>
>
> <snipped>
>
> ToddAndMargo wrote:
> <snip>
>> My only disagreement with Leythos was the stupid comment. All you
>> have to do is "visit" an compromised web site with Internet Explorer
>> and you are infected. The users has no control over it, except
>> stop using IE.
> <snip>
> Seriously?
>
> I am surprised (given your other comments) you can say something like, "The
> users has no control over it, except stop using IE." Not all problems
> center around Microsoft created anything. You can (and people do) get
> infested/infected using all sorts of different browsers. ;-)
I like to use several overlapping security features to protect
my users. One of them is to get off IE. IE has a L-O-N-G soiled
reputations for being security swiss cheese. And, yes, if a
user lands on a compromised site, he typically has no control
over it, depending on the virus.
By the way, Mozilla pays for security bugs last I heard. And,
they usually fix them in two days. Compare that with IE, which
is a week to never.
There is no religious extremism here. It is just the way it
is. IE is just bad (security) code. There are all sorts of
charts out on the Internet comparing security problems in
Firefox to IE. They will open your eyes. Microsoft makes
other good stuff -- don't get your nickers in a twist.
-T
Shenan Stanley
Read the entire conversation:
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/3c579a58e5ce5a68/
Leythos wrote:
<snip>
> With all of the issues that have been in the media, anyone getting
> malware has just got to be stupid, at least for the most part.
<snip>
<snipped>
ToddAndMargo wrote:
<snip>
> My only disagreement with Leythos was the stupid comment. All you
> have to do is "visit" an compromised web site with Internet
> Explorer and you are infected. The users has no control over it,
> except stop using IE.
<snip>
Shenan Stanley wrote:
> Seriously?
>
> I am surprised (given your other comments) you can say something
> like, "The users has no control over it, except stop using IE." Not all
> problems center around Microsoft created anything. You can
> (and people do) get infested/infected using all sorts of different
> browsers. ;-)
ToddAndMargo wrote:
> I like to use several overlapping security features to protect
> my users. One of them is to get off IE. IE has a L-O-N-G soiled
> reputations for being security swiss cheese. And, yes, if a
> user lands on a compromised site, he typically has no control
> over it, depending on the virus.
>
> By the way, Mozilla pays for security bugs last I heard. And,
> they usually fix them in two days. Compare that with IE, which
> is a week to never.
>
> There is no religious extremism here. It is just the way it
> is. IE is just bad (security) code. There are all sorts of
> charts out on the Internet comparing security problems in
> Firefox to IE. They will open your eyes. Microsoft makes
> other good stuff -- don't get your nickers in a twist.
Let's do clarify one thing - if Microsoft disappeared tomorrow completely -
I could care less. No celebration, no mourning - just a different day.
It was not that you were attacking Microsoft that prompted my response - it
was/is the inferrence of "you'll be safe if you don't use IE" in the
statement you made I was referring to. A little to specific to ring true.
If you had said the same thing about Opera or FireFox - the response would
have been no different.
Reputations (good and bad) are often exaggerated to ridiculous proportions
by such blanket statements such as the one you made. I just wanted to chime
in before someone read it and took it as gospel.
While I personally will (and have) recommend people use alternative browsers
(to Internet Explorer) for various reasons, including security - the
statement you made should have been broader, IMO.
'These days, all you have to do is "visit" a compromised web site and you
may get infected/infested.'
You may be using the latest Firefox, the latest Opera, the lates Internet
Explorer with the latest patches on each of them. You might even have other
protections in place beyond that afforded to you by the browsers themselves.
You can still be blind-sided and that changes every day.
Give and take.
ToddAndMargo
> It was not that you were attacking Microsoft that prompted my response - it
> was/is the inferrence of "you'll be safe if you don't use IE" in the
> statement you made I was referring to. A little to specific to ring true.
> If you had said the same thing about Opera or FireFox - the response would
> have been no different.
"Safer." Not completely safe. It is like you are about to
choose a plane to fly on. You could go with the one with
both wings about to fall off or the one with the bad seats.
"Safer". I never meant to imply complete safely. If I am
remembering the charts I have looked at, IE is about 4 times
more likely to have security holes than FF. FF also fixed
security holes much, much faster.
And FF is not the file system. IE and Windows Explorer (WE)
are the same thing. Compromise IE and you have compromised
your file system. Now that deserves the title of "stupid".
You can do a lot more damage with IE/WE than you can FF.
> You can still be blind-sided and that changes every day.
True. I think I will pick the plane with the bad seats.
-T
Shenan Stanley
<snipped>
Shenan Stanley wrote:
> Let's do clarify one thing - if Microsoft disappeared tomorrow
> completely - I could care less. No celebration, no mourning - just
> a different day.
> It was not that you were attacking Microsoft that prompted my
> response - it was/is the inferrence of "you'll be safe if you don't
> use IE" in the statement you made I was referring to. A little too
> specific to ring true. If you had said the same thing about Opera
> or FireFox - the response would have been no different.
>
> Reputations (good and bad) are often exaggerated to ridiculous
> proportions by such blanket statements such as the one you made. I
> just wanted to chime in before someone read it and took it as
> gospel.
> While I personally will (and have) recommend people use alternative
> browsers (to Internet Explorer) for various reasons, including
> security - the statement you made should have been broader, IMO.
>
> 'These days, all you have to do is "visit" a compromised web site
> and you may get infected/infested.'
>
> You may be using the latest Firefox, the latest Opera, the latest
> Internet Explorer with the latest patches on each of them. You
> might even have other protections in place beyond that afforded to
> you by the browsers themselves. You can still be blind-sided and
> that changes every day.
> Give and take.
ToddAndMargo wrote:
> "Safer." Not completely safe. It is like you are about to
> choose a plane to fly on. You could go with the one with
> both wings about to fall off or the one with the bad seats.
>
> "Safer". I never meant to imply complete safely. If I am
> remembering the charts I have looked at, IE is about 4 times
> more likely to have security holes than FF. FF also fixed
> security holes much, much faster.
>
> And FF is not the file system. IE and Windows Explorer (WE)
> are the same thing. Compromise IE and you have compromised
> your file system. Now that deserves the title of "stupid".
> You can do a lot more damage with IE/WE than you can FF.
>
> True. I think I will pick the plane with the bad seats.
The possibility of mis-interpretation of your original statement is lowered
greatly now. Thanks.
However - if you would like to provide web links to these charts you looked
at - that would be great.
ToddAndMargo
> However - if you would like to provide web links to these charts you looked
> at - that would be great.
Just do a Google Search.
Here is one: http://news.cnet.com/8301-1009_3-10190206-83.html
Note the days it took IE to fix their bugs. The red ones were not
patched as on 12/31/08.
-T
Jim
To ToddandMargo - please realise there is a person that writes here
impersonating MVP`s and gives bad advice .
Leythos
says...
> It was not that you were attacking Microsoft that prompted my response - it
> was/is the inferrence of "you'll be safe if you don't use IE" in the
> statement you made I was referring to. A little to specific to ring true.
> If you had said the same thing about Opera or FireFox - the response would
> have been no different.
>
I have thousands of customers that use IE and have never been
compromised. While IE is an exploit path, it's not bad enough in a
properly secured environment that you have to stop using it.
If you employ block-lists of most non-US countries, content filtering at
your firewall, basic Windows security measures, and you keep your
patches updated along with a quality AV solution, there is little real
chance that you will become compromised.
That being said, using IE or Fire Fox, if you ignore all of the warnings
from the last decade, you WILL be compromised.
Twayne
> In article <ugxMzxL0...@TK2MSFTNGP04.phx.gbl>,
> nob...@devnull.spamcop.net says...
>>
>> Leythos wrote:
>>> In article <Kc6Nl.22445$9J5....@newsfe13.iad>,
>>> nob...@devnull.spamcop.net says...
>>>> So tell me, why do you love pcbutts
>>>>
>>>
>>> Do you really think it's a place to discuss that? This is a XP group
>>> and should be limited to discussions about XP and solutions
>>> presented for problems related to XP.
>>
>> No, I do not. That's the imposter at work; not me.
>>
>> Twayne`
>
> Sorry, you're right, I failed to check the headers to verify it was
> you before I hit send in my reply.
Not a problem; let it flail away. But thanks for the comeback; nice to
see manners in this group; they're getting scarce with "it" around.
Twayne
Twayne
...
> w7 really, really cleaned Vista up (except for XP program
> compatibility, but they are working an an "XP" box).
>
> -T
What pray tell is "working on an "XP" box"? Completely news to me.
Citations, URL, any verifiable reference at all please?
Regards,
Twayne
ToddAndMargo
Since Twayne is rather well mannered, I presume this is the
impostor. But anyway, if anyone is interested, here is some
good reading material along those lines:
Windows 'XP mode': The new DOS box
http://ifwnewsletters.newsletters.infoworld.com/t/4959983/121124681/188332/0/
Windows 7's 'XP mode': Glitches and annoyances
http://ifwnewsletters.newsletters.infoworld.com/t/4959983/121124681/188333/0/
Microsoft's Windows 7 release candidate goes public
http://ifwnewsletters.newsletters.infoworld.com/t/4959983/121124681/188334/0/
-T
ToddAndMargo
> I have thousands of customers that use IE and have never been
> compromised. While IE is an exploit path, it's not bad enough in a
> properly secured environment that you have to stop using it.
Hi Leythos,
I see computers compromised by IE *all-the-time*.
I recently dispatched, Sinowal which was a really fun one
(it's an MBR virus).
Your use of layered security is a really good
practice. Since IE is far more likely to be compromised
(just do a Google search on "security firefox Internet
explorer") than Firefox, Firefox would be another good layer
for you to add.
Firefox also has "Larry" the traffic cop, which keeps
you off of bad pages -- another good layer of security.
This, especially with AV products going down the dumpers!
(See: http://www.anti-malware-test.com/)
Not that I'd ever recommend this, but I had one
customer who had a three year expired Norton, who
used Firefox because I told her to, never caught a
virus in that three years. Last week I had another
user that I told to use Firefox go a year with
no antivirus at all and not catch anything. (To
come clean, both users were behind NAT.)
In the end, it is about what is the best for the
customer, not in defending one vendor or another's
pride. Except for the IE part, your layering is
a really good practice.
-T
ToddAndMargo
I posted a question about appliance firewall over on
comp.os.linux.networking. A fascinating dialog insured.
On one of them, a responder gives an extremely scholarly
description on how to protect a Windows network.
Another posted actually excised one of those viruses
this infects web pages. And he gives code and lots of
details. (If you are an apologist for IE and/or Outlook,
I do not recommend you read this, as it will make your
blood boil.)
Start of the dialog:
http://groups.google.com/group/comp.os.linux.networking/browse_thread/thread/be9b419d71480668/ba0977806cda8265?q=toddandmargo#ba0977806cda8265
The firewall how to for Windows:
http://groups.google.com/group/comp.os.linux.networking/browse_thread/thread/be9b419d71480668/ba0977806cda8265?hide_quotes=no#msg_60d9b83112945772
The IFRAME exploit:
http://groups.google.com/group/comp.os.linux.networking/msg/d440ef7f9f620f78?dmode=source
-T
Twayne
> Hi All,
>
> I posted a question about appliance firewall over on
> comp.os.linux.networking. A fascinating dialog insured.
> On one of them, a responder gives an extremely scholarly
> description on how to protect a Windows network.
> Another posted actually excised one of those viruses
> this infects web pages. And he gives code and lots of
> details. (If you are an apologist for IE and/or Outlook,
> I do not recommend you read this, as it will make your
> blood boil.)
Not likely to boil my blood; anyone can post anything they want to, real
or imagined, factual or not. There is little supporting information of
any kind that can't be found on the 'net. It's not exactly new to
reference self-serving links, after all.
Barry Schwarz
wrote:
>Forget my last post I was wrong, you need to format your hd and reinstall
>windows.
For the archives, this is a forged post and the advice is bogus.
--
Remove del for email