NAT is not a mechanism for securing a network.. but.. HELP! - Page 2

Last message on previous page:
Archived from groups: comp.security.firewalls (More info?)

In article <878xyrb7yp.fld@barrow.com>, floyd@apaflo.com says...
> Leythos <void@nowhere.lan> wrote:
> >Nope, I think you assumed that the internet, from work, should not be
> >restricted to anyone?
> >
> >In reality there are very few businesses that need to provide ANY
> >internet access to employees while at work. Even ones that need internet
> >access only need limited access in almost every case.
>
> You've stated that several times in various articles. It is a
> bogus claim which assumes that every business is the same as
> yours apparently is. But other businesses have honest,
> intelligent and dilligent workers who need to get work done in
> the most efficient and effective way possible, which often means
> unrestricted access to the Internet.

I don't believe that for one instant - I've done support for more than a
hundred corporations in the last 5 years, many government groups, and
I've never seen one company (or learned about one) that required all of
it's employees to have complete, open, unrestricted, internet access.

Sure, there are groups in companies that are give it, but the majority
of employees in most companies don't need it to do their jobs.

Prove me wrong, list 5 companies we can check to see that everyone in
them needs full, unrestricted, open, access to the Internet - 5
companies with more than 50 employees.

I await your list.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <i0dpg195ctm1s35dgbd1uc8lls989ugqph@news.easynews.com>,
CyberDroog@ClockworkOrange.com says...
> >Leythos <void@nowhere.lan> wrote:
> >
> >> I can't find
> >> many business reason to allow much more than HTTP/HTTPS to approved
> >> sites
> >
> >Poor people, who only can use caponized network access. Poor businesses,
> >who soon will fall back behind the competition, because they have
> >no media literacy, and the stuff cannot see, what's going on in the
> >world.
>
> As opposed to all of those successful and productive businesses who allow
> all of their employees to sit around reading The New York Times online all
> day. Or keep tabs on their ebay bids or sales. Or do all of their
> Christmas shopping.

I fired a chap after we checked the firewall logs and found he was
keeping an open connection to his stock trading site (before we locked
down what people could access) - his excuse was that he needed to trade
in order to afford to pay his bills and that calling on his cell or the
cost too much, and that he didn't have a computer at home, so he had to
trade at work.

We documented more than 60 hours in one month were he was actively
trading and not doing work - after the initial warning (at 9 hours) we
fired him for continuing.

We also found workers viewing Porn sites before hours, during breaks,
and staying after hours - funny how you display a list of workstation
names and porn files in the http sessions, how that seems to put an end
to it, for a few months... Firing was next for many.

And the list goes on - every company has these issues.

How about the LARGE Government agency where the Cleaning crew was
connecting to peoples desktops that were left logged in over the
night/weekend and downloading MP3? Locked them down to comply with HS
rules and HIPAA....

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

>
> Keep trying, you're still not showing any reason to allow full,
> unrestricted, open, access to everyone in a company.
>

And if you do have unrestricted Internet access and was using it a bit too
much in the management's eye, you will hear about it. One guy was rolled on
the carpet about that and another one was doing a little too much emailing
on company time. They do watch what's going on.

Duane

Archived from groups: comp.security.firewalls (More info?)

Stuart McGraw <smcg4191zz@friizz.rimoovallzzs.com> wrote:
> Nope, I am definitely not an expert -- I am just looking for some reliable
> info. For years I have heard people claim that NAT could be circumvented
> but I have yet to see any real proof of this (although I have not spent much
> time looking.)

Just try it yourself. Take a simple masquerading device, send from outside
a spoofed packet, which seems to come from inside, and sniff inside, if the
packet is routed. There is enough spoofing software in the wild, so you
can hack this simple task with BSD sockets yourself, or you could use
ready-made software to generate the packets.

> They debunk the myth that a NAT router provides as strong security as a
> "real firewall". Maybe some people claim that. I wouldn't, and don't know anyone
> who would.

Together with clever filtering, a NAT router can provide good security
against such attacks.

> They mention pings and then say "NAT devices, however, respond, letting
> the hacker know he's found a live connection and an easy way in to the
> network." Exactly how does a ping response indicate an ***easy*** (my emphasis)
> way into the network?

It doesn't. This is only nonsense. People, who are blocking ICMP echo,
don't understand the TCP/IP network protocol family. That's all.

Those people usually think that you could "stealth" your computer by doing
this, making it "invisible" in the Internet.

This is monkey business. The reason is, that they did not understand TCP
nor IP or ICMP, because:

If there is really no computer at a specific IP address, you're getting
a packet back!

Why?

The router before the non-existing PC then is sending an ICMP packet,
either which means "no computer here", or which means "the complete
network is not here, so there cannot be a computer" (ICMP destination
unreachable message with code 0 or 1, see RFC 792, STD 0005).

So getting no information back is a sure sign, that there _is_ a computer
on the other side, and it's running braindead "security" software like
Zonealarm ;-)

> "Interestingly, hackers have developed attacks specifically for NAT devices,
> including:" and go on to say that one of these is trying the manufacture's
> default password on a network accessible admin port. This is "NAT-specific"?
Of course not.

> Lest I be misunderstood, I am not saying that NAT is as secure as a good
> well configured firewall, that WG products are bad, that firewalls are useless,
> or even that particular white paper is exceptionally bad. All I am saying
> is that it is a typical marking whitepaper, designed to sell the company's
> products and does not present a fair picture of the security differences
> between NAT routers and firewalls.

Firewall is a term, most people use other than it was intended.

"Personal Firewalls" like Zonelabs or Symantec are selling, are anything
else, but not Firewalls.

Usually, they're host based port filertes, badly implemented compared to
i.e. the Windows-Firewall (which is also not a firewall, but a simple
host based packet filter, but which is OK in the way, that it works good),
combinded with a lot of bells and whistles, to make users feel a false
sense of security. The rest of the features of the "Personal Firewalls"
have a placebo effect, one can say.

So it is with the "stealth" feature. And it's not the worst thing -
some features of the "Personal Firewalls" are even worse, they're making
the PC more insecure and not more secure, they should protect.

Those features are for example windows opened from system services or
even the possibility to filter out your secrets like a PIN for your
banking account from every network traffic.

The latter for example is so dangerous, that it is like publicizing your
PIN to everybody, who has a webserver you're looking at pages from.

Why?

Send inside HTML all numbers between 0000 and 9999 (hey, these are only
10.000 numbers, no problem) to the Browser of the user as content i.e.
inside invisible form fields. The one number, which is missing, when the
user sends back the form, is the PIN. ;-)

People, who are selling _this_ to you as a security feature (like
Symantec or Zonelabs and so on) have understood really _nothing_
about security.

They're just the same people, who're making your PC "invisble" in the
Internet, because they're filtering ICMP echo ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> I fired a chap after we checked the firewall logs

Ah, you're *NOT* doing whitelist filtering.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> Email is from an internal server only - why would you want to allow
> employees to access any external email service? Since they have to send
> through the company server, since the company server is the only
> outbound SMTP, there isn't much they are going to do to tunnel.

You don't need to access outside Internet mail services. If the
internal mailing system is connected to the Internet, that's enough
to tunnel.

There are ready made protocols for this, BTW: some of them spell
like SOAP ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

In article <430d5ca6@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > I fired a chap after we checked the firewall logs
>
> Ah, you're *NOT* doing whitelist filtering.

When I took over the department the first thing I did was start looking
at security - they had a no-policy policy in place before I joined. The
idea was that anyone could access anything on the Net at any time.

They had suspected they had productivity problems, had problems with
viruses and compromised machines, had issues with groups of people
emailing jokes and explicit pictures back and forth, etc... You know, a
generally uncontrolled environment with immature people.

When I got there I installed a new firewall in drop-in mode so that no
one was any wiser, monitoring all traffic and seeing exactly how bad the
issue was.

After 30 days we implemented a new security model and put an end to all
of the BS and playing. Funny thing was that the worst abusers were also
the lest productive in all areas. Once we took away access to sites that
didn't meet our business needs, productivity increase almost 130% that
first month....

It's amazing what people will do when they think they are owed access
and when they think no-one is watching.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <430d5f09@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > Email is from an internal server only - why would you want to allow
> > employees to access any external email service? Since they have to send
> > through the company server, since the company server is the only
> > outbound SMTP, there isn't much they are going to do to tunnel.
>
> You don't need to access outside Internet mail services. If the
> internal mailing system is connected to the Internet, that's enough
> to tunnel.
>
> There are ready made protocols for this, BTW: some of them spell
> like SOAP ;-)

Funny, using soap wont allow you to use your workstation to tunnel to
the SMTP server and then have the SMTP server tunnel outside for you,
and then bring the traffic back in to you. Since the IP of the specific
SMTP server is all that's permitted outbound and since the firewall
blocks anything that isn't a proper SMTP message type......

Please provide a link that shows how a generic user at a workstation in
the LAN will be able to tunnel through a SMTP server that they don't
have permission/access to configure where the outbound from that
specific IP of the server is the only outbound SMTP permitted in the
firewall.


--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <1l7q6fzori802.dlg@aol.prodigy.net>,
spammers.are@immoral.invalid says...
> On Tue, 23 Aug 2005 18:36:51 GMT, Leythos wrote:
>
> > NAT is only a simple means of blocking unsolicited inbound connections.
> > That means that there is no outbound limitation.
> >
> > NAT is a good for protecting home users networks from uninvited inbound
> > connections which is a reasonable thing for home users.
>
> I have encountered a NAT device which does not block inbound packets. The
> Siemens SpeedStream 4100 ADSL modem I just connected to my LAN.

Yea, DSL modems from ISP's are a mix of anything goes. I installed a SBC
DSL modem for a client that provided a single private IP via DHCP and
all public traffic was routed inbound to that IP.

NAT is still a good option, but not when everything is forwarded inbound
to the LAN side. DSL Modems are not what any of us talk about,
generally, when we talk about NAT and routers, we generally mean the D-
Link, Netgear, Linksys....

You've just documented the best reason why you should have your own
appliance after the ISP's hardware.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
>In article <87vf1uahs5.fld@barrow.com>, floyd@apaflo.com says...
>> Leythos <void@nowhere.lan> wrote:
>> >In article <878xyrb7yp.fld@barrow.com>, floyd@apaflo.com says...
>> >> Leythos <void@nowhere.lan> wrote:
>
>So, since you've not really listed the company, only mentioned that you
>know a company where everyone needs access, then you say that you are
>not sure, but you're not aware.... So, it really sounds like you don't
>have a clue about the business needs of all the employees concerning
>Internet access.

Just dangling a rope for you, thats all. You'd never have been
clear on what you thought of it if I'd mentioned that it is
AT&T's telecom network operations.

>> I don't need to list 5. Just one. And as I noted, that company
>> is large enough to have a senior management position for Network
>> Security, filled at the time by a person who literally wrote the
>> book.
>
>Yea, I've read that before, someone knows someone that wrote the book on
>security and they know more than anyone else and no one else could
>understand any other parts of security better than they do.....
>
>If your guru is permitting full, unrestricted access to the net, without
>any filtering, then they don't really understand security and they also
>don't understand the business needs.

The "guru" is Steve Bellovin. You've probably heard of him. He
was in charge of AT&T's network security for a few years, and
currently is teaching CS at Columbia University. It wasn't really
"the" book that he wrote, it was several of them...

>> Are you claiming that their head of Network Security was not as
>> competent as you? The idea is hilarious!
>
>How would you know - how do you have any idea that his methods work -

I don't think Bellovin has been certified by ICSA, but like a
lot of other equipment that hasn't been, his reputation is
widely known. ;-)

>since you state that you are unaware of the business needs, then you
>really don't know.

And just when did I say that I was "unaware of the business
needs"? Within the division of AT&T that I worked for (AT&T
Alascom, which AT&T acquired in 1995) it was simply impossible
to file a weekly time sheet without access to the Internet. Is
that "business need" enough for you? And that is merely the
starting point on a list of requirements that most employees
need Internet access for!

>What's hilarious is that you think that all companies should provide
>unrestricted internet access to all employees.

Unlike you, I have *not* made any such sweeping ridiculous claims.

My point was that when you say none do, you are blowing smoke.

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com

Archived from groups: comp.security.firewalls (More info?)

>
> And just when did I say that I was "unaware of the business
> needs"? Within the division of AT&T that I worked for (AT&T
> Alascom, which AT&T acquired in 1995) it was simply impossible
> to file a weekly time sheet without access to the Internet. Is
> that "business need" enough for you? And that is merely the
> starting point on a list of requirements that most employees
> need Internet access for!
>

I never heard of any time accounting application that was WEB based that
was used over the Internet. Companies generally have such Web based
applications/solutions as a secured Intranet application NOT an Internet
application, which are behind the company's FW. So of course, company
employees are going to have access through a browser to such an application
as a company Intranet business solution. If the company had that setup any
other way, that was a very questionable setup to say the least about it.
And if some employee needed to access that Web based solution outside of
the company's Intranet domain over the Internet, they would need or be
given a VPN solution and allowed access to the WEB based company Intranet
business solution.

Duane

Archived from groups: comp.security.firewalls (More info?)

On Thu, 25 Aug 2005 00:27:23 GMT, Leythos <void@nowhere.lan> wrote:

>In article <vurog1le0qdfaiadr3t5p3f46aroeraa2m@news.easynews.com>,
>CyberDroog@ClockworkOrange.com says...
>>
>> Any properly setup NAT router should be blocking those ports. Mine does,
>> and a lot of other unnecessary ports as well.
>
>But NAT routers don't block those OUTBOUND by default, sure they block
>it inbound, but they don't do anything about it outbound.

Weren't you talking about setting up simple NAT routers to block outbound
traffic (i.e. Filtered Private Port range on Linksys) as well?


--
The worst thing that can happen to a good cause is, not to be skillfully
attacked, but to be ineptly defended.

- Fredric Bastiat

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message news:430d5bf7@news.uni-ulm.de...
> Stuart McGraw <smcg4191zz@friizz.rimoovallzzs.com> wrote:
> > Nope, I am definitely not an expert -- I am just looking for some reliable
> > info. For years I have heard people claim that NAT could be circumvented
> > but I have yet to see any real proof of this (although I have not spent much
> > time looking.)
>
> Just try it yourself. Take a simple masquerading device, send from outside
> a spoofed packet, which seems to come from inside, and sniff inside, if the
> packet is routed. There is enough spoofing software in the wild, so you
> can hack this simple task with BSD sockets yourself, or you could use
> ready-made software to generate the packets.

I'll try if I can, but the only outside network I have access to right now
is my ISPs and I think they do ingress/egress filtering so I may not be able
to. However you and a couple other people have said this is true and
it sounds reasonable to me... I was not aware that this was the case.

> > They debunk the myth that a NAT router provides as strong security as a
> > "real firewall". Maybe some people claim that. I wouldn't, and don't know anyone
> > who would.
>
> Together with clever filtering, a NAT router can provide good security
> against such attacks.
>
> > They mention pings and then say "NAT devices, however, respond, letting
> > the hacker know he's found a live connection and an easy way in to the
> > network." Exactly how does a ping response indicate an ***easy*** (my emphasis)
> > way into the network?
>
> It doesn't. This is only nonsense. People, who are blocking ICMP echo,
> don't understand the TCP/IP network protocol family. That's all.
>
> Those people usually think that you could "stealth" your computer by doing
> this, making it "invisible" in the Internet.
>
> This is monkey business. The reason is, that they did not understand TCP
> nor IP or ICMP, because:
>
> If there is really no computer at a specific IP address, you're getting
> a packet back!
>
> Why?
>
> The router before the non-existing PC then is sending an ICMP packet,
> either which means "no computer here", or which means "the complete
> network is not here, so there cannot be a computer" (ICMP destination
> unreachable message with code 0 or 1, see RFC 792, STD 0005).
>
> So getting no information back is a sure sign, that there _is_ a computer
> on the other side, and it's running braindead "security" software like
> Zonealarm ;-)
>
> > "Interestingly, hackers have developed attacks specifically for NAT devices,
> > including:" and go on to say that one of these is trying the manufacture's
> > default password on a network accessible admin port. This is "NAT-specific"?
> Of course not.
>
> > Lest I be misunderstood, I am not saying that NAT is as secure as a good
> > well configured firewall, that WG products are bad, that firewalls are useless,
> > or even that particular white paper is exceptionally bad. All I am saying
> > is that it is a typical marking whitepaper, designed to sell the company's
> > products and does not present a fair picture of the security differences
> > between NAT routers and firewalls.
>
> Firewall is a term, most people use other than it was intended.

I always thought a firewall was anything that enforced a security poilicy
between two networks. So the issue is what security policy is appropriate,
and what hardware/software most reliably and cost effectively implements
that policy, not the name a vendor decided to give a box. I have always
been a little annoyed the the term "real firewall" for that reason.

> "Personal Firewalls" like Zonelabs or Symantec are selling, are anything
> else, but not Firewalls.
>
> Usually, they're host based port filertes, badly implemented compared to
> i.e. the Windows-Firewall (which is also not a firewall, but a simple
> host based packet filter, but which is OK in the way, that it works good),
> combinded with a lot of bells and whistles, to make users feel a false
> sense of security. The rest of the features of the "Personal Firewalls"
> have a placebo effect, one can say.
>
> So it is with the "stealth" feature. And it's not the worst thing -
> some features of the "Personal Firewalls" are even worse, they're making
> the PC more insecure and not more secure, they should protect.
>
> Those features are for example windows opened from system services or
> even the possibility to filter out your secrets like a PIN for your
> banking account from every network traffic.
>
> The latter for example is so dangerous, that it is like publicizing your
> PIN to everybody, who has a webserver you're looking at pages from.
>
> Why?
>
> Send inside HTML all numbers between 0000 and 9999 (hey, these are only
> 10.000 numbers, no problem) to the Browser of the user as content i.e.
> inside invisible form fields. The one number, which is missing, when the
> user sends back the form, is the PIN. ;-)
>
> People, who are selling _this_ to you as a security feature (like
> Symantec or Zonelabs and so on) have understood really _nothing_
> about security.
>
> They're just the same people, who're making your PC "invisble" in the
> Internet, because they're filtering ICMP echo ;-)
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"

Interesting, thanks!

Archived from groups: comp.security.firewalls (More info?)

On Thu, 25 Aug 2005 00:42:37 GMT, Leythos <void@nowhere.lan> wrote:

>There was an exploit on the web that targeted Linksys routers - when
>people connected via IE, it would login to the default IP of the router
>as the default account/password, then it would change the forwarding
>settings to allow inbound. Seach google for it.

Why people fail to change the admin password on their routers is beyond me.

--
CRITIC, n. A person who boasts himself hard to please because nobody
tries to please him.

- Ambrose Bierce

Archived from groups: comp.security.firewalls (More info?)

CyberDroog <CyberDroog@ClockworkOrange.com> wrote in
news:ns2sg1ppioogit3be0fbshnatt3h8c1910@news.easynews.com:

> On Thu, 25 Aug 2005 00:42:37 GMT, Leythos <void@nowhere.lan> wrote:
>
>>There was an exploit on the web that targeted Linksys routers - when
>>people connected via IE, it would login to the default IP of the
>>router as the default account/password, then it would change the
>>forwarding settings to allow inbound. Seach google for it.
>
> Why people fail to change the admin password on their routers is
> beyond me.
>

That's because it's not in the manual when they setup/configured the device
that it could be a possible exploit. That information has to be sought out
and implemented.

Duane

Archived from groups: comp.security.firewalls (More info?)

In article <87hdde9dy5.fld@barrow.com>, floyd@apaflo.com says...
>
> And just when did I say that I was "unaware of the business
> needs"? Within the division of AT&T that I worked for (AT&T
> Alascom, which AT&T acquired in 1995) it was simply impossible
> to file a weekly time sheet without access to the Internet. Is
> that "business need" enough for you? And that is merely the
> starting point on a list of requirements that most employees
> need Internet access for!

That's so much BS. Any company that requires local employees to access
the public internet to file a time-sheet is doing it completely wrong.
There is no reason that anyone in AT&T would have to leave the AT&T
network to access company resources.

Even if they hosted the time-sheet system at MCI, they could easily
setup a white-list for the server AT&T needs.

So, again, you've not shown any reason for it to be open.... Keep
trying.


--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <852sg19n451lhscftph6mpvm63ug3isdhj@news.easynews.com>,
CyberDroog@ClockworkOrange.com says...
> On Thu, 25 Aug 2005 00:30:13 GMT, Leythos <void@nowhere.lan> wrote:
>
> >In article <p7sog1l3367jbsgaf78etrm0905jaji71i@news.easynews.com>,
> >CyberDroog@ClockworkOrange.com says...
> >> But a simple NAT router *is* such a firewall. It's
> >> just of very low quality and the vendor leaves it to you to not hand
> >> someone else the keys.
> >
> >Sorry, but NAT is not just a low quality firewall - you seem to think
> >that devices can be sort-of, maybe, almost, firewalls - well, they
> >can't, they are either a firewall or not. All the fancy features that
> >firewalls use to differentiate them from each other don't mean anything
> >if the device is not a firewall.
>
> I disagree, but only because of semantics. Firewall or Firewalling is also
> a concept and a process.

And you can have a firewall without NAT, but having a NAT does not mean
you have a firewall.

I suppose you've never seen NAT setup as 1:1 mode? How about NAT that
defaults to 1:1 all ports passed inbound?

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

On Thu, 25 Aug 2005 08:38:59 -0800, floyd@apaflo.com (Floyd L. Davidson)
wrote:

>"Stuart McGraw" <smcg4191zz@friizz.RimoovAllZZs.com> wrote:
>>"Leythos" <void@nowhere.lan> wrote in message news:MPG.1d76de05d0fb820d989cfe@news-server.columbus.rr.com...
>>>
>>> There was an exploit on the web that targeted Linksys routers - when
>>> people connected via IE, it would login to the default IP of the router
>>> as the default account/password, then it would change the forwarding
>>> settings to allow inbound. Seach google for it.
>>
>>I googled a bit but couldn't seem to find this. But it sounds like it is
>>not really a NAT specific exploit -- unchanged default passwords are
>>not limited to NAT routers, yes?
>
>His scenario is almost certainly fabricated.

Type "linksys exploit" into Google. This is the first hit:

http://www.governmentsecurity.org/ [...] ection.php

>Linksys routers, by default, do not allow access via the WAN
>(Internet) port to the web server. The only way his described
>technique would work is if a user purposely reconfigured to
>enable that access... *and* did not change the password.
>However, the Linksys configuration will not make that change if
>the default password is unchanged!

Correct. By default they do not allow remote access. That is why the bug
was called an *exploit*... because even with remote access disabled, the
box was allowing remote access.

--
I love deadlines. I love the whooshing sound they make as they fly by.

- Douglas Adams

Archived from groups: comp.security.firewalls (More info?)

>
> But I think that we all know that in order for something to be secure,
> that it almost always has a password (or combination).... I know it's
> expecting a lot of people, but they should be at least trying to learn a
> little.
>

Hey, I was over in the wireless NG responding to a poster today who happened
to work for an ISP asking about how could a router be hacked and
reconfigured so that the DNS being used pointed to somewhere in China that
the customer was using. I replied about the router being left in the default
out of the box state as a possibility.

If he had to ask about how it could been done, that doesn't leave too much
hope. ;-)

Duane

Archived from groups: comp.security.firewalls (More info?)

Stuart McGraw <smcg4191zz@friizz.rimoovallzzs.com> wrote:
[NAT attack]
> > Just try it yourself. Take a simple masquerading device, send from outside
> > a spoofed packet, which seems to come from inside, and sniff inside, if the
> > packet is routed. There is enough spoofing software in the wild, so you
> > can hack this simple task with BSD sockets yourself, or you could use
> > ready-made software to generate the packets.
> I'll try if I can, but the only outside network I have access to right now
> is my ISPs and I think they do ingress/egress filtering so I may not be able
> to.

Most ISPs don't.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> People implementing a NAT only solution, without a real firewall, are
> not secure - as many people have pointed out tunneling and such.

What is a "real firewall"?

> A firewall using NAT does not necessarily permit tunneling once you
> setup the firewall to protect properly.

Oh, yes, it does. It's impossible to deny tunneling without cutting
the cable, i.e. with whitelist filtering.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> And most firewalls allow you to block by "category" which means as long
> as the web site for the company is properly setup with its proper meta
> tags for content type, it would be approved, where other sites, without
> the meta tags could be rejected.

Oh, nice, then free network is very easy to achieve for everyone. Just
use a proxy server outside, and have the right meta tags inserted into
every page which is proxied ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

In article <430edbf3@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > You know, a
> > generally uncontrolled environment with immature people.
>
> What did you do to educate them?

All the normal things and then more - were you looking for something
specific?

>
> > Once we took away access to sites that
> > didn't meet our business needs, productivity increase almost 130% that
> > first month....
>
> This is blacklisting, not whitelisting.

We took away sites that were not needed, meaning ALL of them and then
white listed the ones we needed - so, maybe you should not be so petty
in your assumptions - we did both, deny all, white list many.

> > It's amazing what people will do when they think they are owed access
> > and when they think no-one is watching.
>
> This depends on how the working atmosphere is in your company, I think.

Statement means nothing, as it is prevalent in every company that
permits unrestricted and full open access to all of it's employees -
human nature is the same everywhere.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <430ee183@news.uni-ulm.de>, bumens@dingens.org says...
> Leythos <void@nowhere.lan> wrote:
> > I suppose you've never seen NAT setup as 1:1 mode? How about NAT that
> > defaults to 1:1 all ports passed inbound?
>
> NAT means "network address translation". Usually, it's a term used for
> masqeurading (changing insideIP/port to singleIP/otherport dynamically
> for giving Internet access to many hosts with one single IP address in
> the Internet, also called dynamic NAT) and what is called static NAT
> (mapping IP/port to otherIP/otherPort).
>
> What do you mean with "1:1" here?

You don't appear to understand NAT if you think it's just for 1:MANY.
There are many examples of 1:1 NAT, and most firewalls have that option.

What don't you understand about 1:1?

tape PIBLIC IP RANGE, map it 1:1 to another RANGE, that's 1:1.

Look it up

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> In article <430edbf3@news.uni-ulm.de>, bumens@dingens.org says...
> > Leythos <void@nowhere.lan> wrote:
> > > You know, a
> > > generally uncontrolled environment with immature people.
> > What did you do to educate them?
> All the normal things and then more - were you looking for something
> specific?

Usually, security can have a great improve by educating users. This is
why I'm asking.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.lan> wrote:
> > What do you mean with "1:1" here?
> You don't appear to understand NAT if you think it's just for 1:MANY.

I don't think so. And I think, that I have understood NAT, thank you.
I feel secure enough to implement my own NAT code.

> There are many examples of 1:1 NAT, and most firewalls have that option.
> What don't you understand about 1:1?
> tape PIBLIC IP RANGE, map it 1:1 to another RANGE, that's 1:1.

Ah, you mean static NAT with just translating one IP address into another.
Thank you for your explanation, what you mean.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"