Netgear portscanning me?

I have a Netgear DG834 v2 adsl modem/router.

It works well.

My question is why would my local norton fireall report that the
router portscanned me? The report says that network traffic from the
netgear matches the signature of a known attack.

Attacking Computer : 192.168.0.1, 53
Action Taken : Block
Destination Address : 192.168.0.2, 55841
Traffic Description : UDP, 53

Am I right in guessing that the, e.g. 53, is a port? And isnt port 53
used for DNS? What is the netgear doing and should I be worried?

Thanks for any light shed on this.

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)

Re: Netgear portscanning me?

> Your PC sent a DNS request to the router. The router sent back a reply.
> It is normal.
>
> PS. Norton often - specifically, stuff designed for home users - often
> causes problems. For 99% of people who don't need/want to monitor or
> block outgoing data, the in-built Windows (XP SP2/Vista) firewall works
> fine. A firewall isn't usually necessary if you are behind a NAT router,
> as it likely has its own firewall.

>From the little I know of firewalls... if my computer *had* sent a
request to the router then it would of course pass through norton
firewall. In that case the firewall should 'remember' that the request
was sent and handle the reply when it comes. It is stored in the state
table huh?

Which would make the communication the Norton reported as totally
unsolicited? Am I off the mark here?

Also... i do like to run a local firewall in addition to the firewall
built into the router. Its handy for monitoring what is going out and
will alert me to x y and z program trying to access the net which is
handy indeed for programs/spyware that is communicating with the
outside world (or, attempting to... off with its head :))

Re: Netgear portscanning me?

On Mon, 03 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1188841332.666788.76970@w3g2000hsg.googlegroups.com>, Tam wrote:

>> Your PC sent a DNS request to the router. The router sent back a reply.
>> It is normal.

Almost correct. The PC sent a DNS request. The router isn't a full
sourse of information about everything in the world, and has to pass
the request along to others. This takes time. Norton figured after a
second or two that it wasn't going to get an answer, and marked that
connection attempt as dead. When the router finally did get an answer
and responded, Norton had forgotten that it had asked, and wanting to
impress the O/P, announced that it has BLOCKED AN ATTACK!!!

>> PS. Norton often - specifically, stuff designed for home users - often
>> causes problems.

This is mainly because Norton was set in the most paranoid mode. The
world isn't a simple as the paranoid mode requires, and Norton winds
up looking like the "boy who cried wolf".

>> A firewall isn't usually necessary if you are behind a NAT router,
>> as it likely has its own firewall.

Agreed, but how is Norton supposed to sell crap if that were the case?

>From the little I know of firewalls... if my computer *had* sent a
>request to the router then it would of course pass through norton
>firewall. In that case the firewall should 'remember' that the request
>was sent and handle the reply when it comes. It is stored in the state
>table huh?

Yes, but only for a limited time. Who ever configured the firewall
set the time to short. You could file a bug report with Norton, and
maybe they'll look into correcting the problem. (I doubt it, as this
problem has been going on for years - you need only use the search
engine you are posting from as a search engine.)

Web Results 1 - 10 of about 226,000 for Norton blocked attack 53 UDP.
(0.12 seconds)

>Which would make the communication the Norton reported as totally
>unsolicited? Am I off the mark here?

No, it merely means that Norton has been configured to forget things
that don't happen right away. If you read the RFCs (for example, section
5.1 of RFC1034), you might find that a DNS response can literally take
several seconds. The industry standard namserver (ISC BIND) is normally
set for a five second timeout. You must understand that every server
in the world isn't waiting patiently to serve only you. As of the
middle of last month, there are 82,000 networks in the world which
translates to about a quarter million name servers - do you know the
right one to ask your question? Oh, and there are about 2,533,552,588
IPv4 (the kind you are using) addresses to keep track of.

>Also... i do like to run a local firewall in addition to the firewall
>built into the router. Its handy for monitoring what is going out and
>will alert me to x y and z program trying to access the net which is
>handy indeed for programs/spyware that is communicating with the
>outside world (or, attempting to... off with its head :))

Why are you installing spyware, viruses, and other trojans? Or do you
think there is a "Malware Fairy" that flutters by, waves her magic
wand when you aren't looking, and Hey Presto, your computer is infected?

Old guy

Re: Netgear portscanning me?

Moe Trin wrote:

> Tam wrote:

>>From the little I know of firewalls... if my computer *had* sent a
>>request to the router then it would of course pass through norton
>>firewall. In that case the firewall should 'remember' that the request
>>was sent and handle the reply when it comes. It is stored in the state
>>table huh?
>
> Yes, but only for a limited time. Who ever configured the firewall
> set the time to short.

Though I regard Norton as complete and useless crap I do admit that finding
acceptable timeout values for UDP answer packets is a bit od a problem
problem for any stateful packet filter implementation because UDP is a
stateless protocol. TCP connections are easier to handle for a filter
because of flags and sequence numbers.

Wolfgang

Re: Netgear portscanning me?

Kris wrote:
> Tam writes:
>> My question is why would my local norton fireall report that the
>> router portscanned me? The report says that network traffic from the
>> netgear matches the signature of a known attack.
>>
>> Attacking Computer : 192.168.0.1, 53
>> Action Taken : Block
>> Destination Address : 192.168.0.2, 55841
>> Traffic Description : UDP, 53
>>
>> Am I right in guessing that the, e.g. 53, is a port? And isnt port 53
>> used for DNS? What is the netgear doing and should I be worried?
>>
>> Thanks for any light shed on this.
>
> Your PC sent a DNS request to the router. The router sent back a reply.
> It is normal.
>
> PS. Norton often - specifically, stuff designed for home users - often
> causes problems. For 99% of people who don't need/want to monitor or
> block outgoing data, the in-built Windows (XP SP2/Vista) firewall works
> fine. A firewall isn't usually necessary if you are behind a NAT router,
> as it likely has its own firewall.


Having a 2nd firewall secures your PC and limits the spread of any
malware should it ever get behind the NAT firewall. If you don't have
wireless and never allow a laptop on your network it's probably not an
issue. But imagine a laptop that gets infected while somewhere else,
then connects to your network. If you're relying solely on the NAT
firewall, your whole network just got compromised.

Or imagine all those poor saps who thought WEP would secure their
wireless LAN. Anyone driving by with the right software, could get
behind the NAT firewall in minutes.

IMO every computer on the network should have it's own firewall in
addition to the NAT firewall.

Re: Netgear portscanning me?

Chuck wrote:
> Having a 2nd firewall secures your PC and limits the spread of any
> malware should it ever get behind the NAT firewall.

Unfortunately no.

> IMO every computer on the network should have it's own firewall in
> addition to the NAT firewall.

Better configure your systems correctly.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

Volker Birk wrote:
> Chuck wrote:
>> Having a 2nd firewall secures your PC and limits the spread of any
>> malware should it ever get behind the NAT firewall.
>
> Unfortunately no.
>
>> IMO every computer on the network should have it's own firewall in
>> addition to the NAT firewall.
>
> Better configure your systems correctly.
>
> Yours,
> VB.

Double firewalling is standard industry practice. Do you disagree? If so
I hope you are not working as a network administrator.

Re: Netgear portscanning me?

Chuck wrote:
> Double firewalling is standard industry practice. Do you disagree?

Yes.

Especially the "Personal Firewall" nonsense is counter-productive. I
don't have any problems with the Windows-Firewall, though, if it's
configured correctly.

> If so
> I hope you are not working as a network administrator.

I do not. I'm CTO ;-)

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

Chuck wrote:
> Volker Birk wrote:
>> Chuck wrote:
>>> Having a 2nd firewall secures your PC and limits the spread of any
>>> malware should it ever get behind the NAT firewall.
>>
>> Unfortunately no.
>>
>>> IMO every computer on the network should have it's own firewall in
>>> addition to the NAT firewall.
>>
>> Better configure your systems correctly.
>
> Double firewalling is standard industry practice.

To achieve what? Aside from increased sales for personal firewall
vendors, that is.

> Do you disagree?

Well, I for one most certainly do.

> If so I hope you are not working as a network administrator.

M-hm. You have some arguments to go with that opinion of yours?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?

Ansgar -59cobalt- Wiechers wrote:
> Chuck wrote:
>> Volker Birk wrote:
>>> Chuck wrote:
>>>> Having a 2nd firewall secures your PC and limits the spread of any
>>>> malware should it ever get behind the NAT firewall.
>>> Unfortunately no.
>>>
>>>> IMO every computer on the network should have it's own firewall in
>>>> addition to the NAT firewall.
>>> Better configure your systems correctly.
>> Double firewalling is standard industry practice.
>
> To achieve what? Aside from increased sales for personal firewall
> vendors, that is.
>
>> Do you disagree?
>
> Well, I for one most certainly do.
>
>> If so I hope you are not working as a network administrator.
>
> M-hm. You have some arguments to go with that opinion of yours?


Arguments? Sure. Any PC on your LAN that does not have a software
firewall is vulnernable if any other machine gets infected with a WORM
or gets hacked. It's that simple. Remember that DNS corrupting worm from
about 2 years ago? An awful lot of network admins learned the hard way
about double firewalling that day didn't they?

You can chose to disagree that double firewalling is not standard
industry practice but that does not change the fact that it is. A simple
google of "is double firewalling a standard industry practice" returns
over a million hits.

Re: Netgear portscanning me?

Chuck wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Chuck wrote:
>>> Double firewalling is standard industry practice.
>>
>> To achieve what? Aside from increased sales for personal firewall
>> vendors, that is.
>>
>>> Do you disagree?
>>
>> Well, I for one most certainly do.
>>
>>> If so I hope you are not working as a network administrator.
>>
>> M-hm. You have some arguments to go with that opinion of yours?
>
> Arguments? Sure. Any PC on your LAN that does not have a software
> firewall is vulnernable if any other machine gets infected with a WORM
> or gets hacked.

So tell me: how did that other machine get hacked or infected with a
worm in the first place? And how does the software firewall protect the
ports you need to be open in your LAN? (because most certainly any other
port would be closed and thus not exploitable, wouldn't it?)

> It's that simple.

Frankly, no, it ain't.

> Remember that DNS corrupting worm from about 2 years ago?

No. What "DNS corrupting worm" are you talking about?

> An awful lot of network admins learned the hard way about double
> firewalling that day didn't they?

M-hm. In my network the systems are kept up to date, they don't have
services running they're not supposed to, and the network is properly
segmented with firewalls on the boundaries. So tell me again: what
exactly do I need double firewalling for? Other then increasing the
vondors' revenue, my network's complexity, and my own workload?

> You can chose to disagree that double firewalling is not standard
> industry practice but that does not change the fact that it is. A
> simple google of "is double firewalling a standard industry practice"
> returns over a million hits.

A million flies ...

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?

Chuck wrote:
> Any PC on your LAN that does not have a software
> firewall is vulnernable if any other machine gets infected with a WORM
> or gets hacked. It's that simple.

It's just simply wrong.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

Ansgar -59cobalt- Wiechers wrote:
> Chuck wrote:
>> Ansgar -59cobalt- Wiechers wrote:
>>> Chuck wrote:
>>>> Double firewalling is standard industry practice.
>>> To achieve what? Aside from increased sales for personal firewall
>>> vendors, that is.
>>>
>>>> Do you disagree?
>>> Well, I for one most certainly do.
>>>
>>>> If so I hope you are not working as a network administrator.
>>> M-hm. You have some arguments to go with that opinion of yours?
>> Arguments? Sure. Any PC on your LAN that does not have a software
>> firewall is vulnernable if any other machine gets infected with a WORM
>> or gets hacked.
>
> So tell me: how did that other machine get hacked or infected with a
> worm in the first place? And how does the software firewall protect the
> ports you need to be open in your LAN? (because most certainly any other
> port would be closed and thus not exploitable, wouldn't it?)
>
>> It's that simple.
>
> Frankly, no, it ain't.
>
>> Remember that DNS corrupting worm from about 2 years ago?
>
> No. What "DNS corrupting worm" are you talking about?
>
>> An awful lot of network admins learned the hard way about double
>> firewalling that day didn't they?
>
> M-hm. In my network the systems are kept up to date, they don't have
> services running they're not supposed to, and the network is properly
> segmented with firewalls on the boundaries. So tell me again: what
> exactly do I need double firewalling for? Other then increasing the
> vondors' revenue, my network's complexity, and my own workload?
>
>> You can chose to disagree that double firewalling is not standard
>> industry practice but that does not change the fact that it is. A
>> simple google of "is double firewalling a standard industry practice"
>> returns over a million hits.
>
> A million flies ...
>
> cu
> 59cobalt


You've obviously not been in IT very long.

Re: Netgear portscanning me?

Ansgar -59cobalt- Wiechers wrote:
> Chuck wrote:
>> Ansgar -59cobalt- Wiechers wrote:
>>> Chuck wrote:
>>>> Double firewalling is standard industry practice.
>>> To achieve what? Aside from increased sales for personal firewall
>>> vendors, that is.
>>>
>>>> Do you disagree?
>>> Well, I for one most certainly do.
>>>
>>>> If so I hope you are not working as a network administrator.
>>> M-hm. You have some arguments to go with that opinion of yours?
>> Arguments? Sure. Any PC on your LAN that does not have a software
>> firewall is vulnernable if any other machine gets infected with a WORM
>> or gets hacked.
>
> So tell me: how did that other machine get hacked or infected with a
> worm in the first place? And how does the software firewall protect the
> ports you need to be open in your LAN? (because most certainly any other
> port would be closed and thus not exploitable, wouldn't it?)
>
>> It's that simple.
>
> Frankly, no, it ain't.
>
>> Remember that DNS corrupting worm from about 2 years ago?
>
> No. What "DNS corrupting worm" are you talking about?
>
>> An awful lot of network admins learned the hard way about double
>> firewalling that day didn't they?
>
> M-hm. In my network the systems are kept up to date, they don't have
> services running they're not supposed to, and the network is properly
> segmented with firewalls on the boundaries. So tell me again: what
> exactly do I need double firewalling for? Other then increasing the
> vondors' revenue, my network's complexity, and my own workload?
>
>> You can chose to disagree that double firewalling is not standard
>> industry practice but that does not change the fact that it is. A
>> simple google of "is double firewalling a standard industry practice"
>> returns over a million hits.
>
> A million flies ...
>
> cu
> 59cobalt


The OP was talking about a SOHO network with a single switch/router. One
segment only. In such an environment double firewalling is essential if
there is the possibility of an infected PC being added to the network.

The worm I was referring to is documented here:

http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/in dex.html

I referred to it incorrectly as a DNS corrupting worm because in the
environment where I work it was windows 2000 based DNS servers that were
affected. The point however is still valid. If these servers had been
properly firewalled they would not have been affected.

Re: Netgear portscanning me?

Chuck wrote:
> Ansgar -59cobalt- Wiechers wrote:
[...]
> You've obviously not been in IT very long.

Amusing. You're talking about a person, who probably has more
experience and deeper insights than most of the people here in the group,
with small exceptions.

In German: "Jeder macht sich so lächerlich, wie er kann."

Trying to translate that for you: "You're making a fool out
of yourself as good as you can" ;-)

Chuck, perhaps you could work on your arguments a little bit. Maybe
they're not as close to perfect as they could be :-))

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

Chuck wrote:
> http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/in dex.html
> I referred to it incorrectly as a DNS corrupting worm because in the
> environment where I work it was windows 2000 based DNS servers that were
> affected. The point however is still valid. If these servers had been
> properly firewalled they would not have been affected.

If these servers wouldn't have offered network services to the Internet
they should not offer, no firewalls would have been needed.

These worms are why I hacked http://www.dingens.org at this time.

The problem is not, that those servers needed firewalling. The problem
is, that Microsoft failed and have to answer for all this damage,
because it's completely moronic to offer unneeded network services
which are potentially vulnerable, and to make this the default and even
make it complicated to stop that.

To be clear:

What we're talking about is worm-rbot.cbq.


| Name > W32/Rbot-CBQ
| Type * Worm
| How it spreads * Network shares
| Affected operating systems * Windows

BTW:

| What this worm has to do with DNS * completely nothin' ;-)

It's completely idiotic to enable network shares to the Internet. Just
disable them => no firewalling needed.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

On Tue, 04 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Wolfgang Kueter wrote:

>Moe Trin wrote:

>> Tam wrote:

>>> In that case the firewall should 'remember' that the requestwas sent
>>> and handle the reply when it comes. It is stored in the state table
>>> huh?
>>
>> Yes, but only for a limited time. Who ever configured the firewall
>> set the time to short.
>
>Though I regard Norton as complete and useless crap I do admit that finding
>acceptable timeout values for UDP answer packets is a bit od a problem
>problem for any stateful packet filter implementation because UDP is a
>stateless protocol.

The timeout IF YOU FEEL THAT YOU NEED THIS should be based on the way
DNS works, not the way UDP works. A sane resolver setup will try to
query a name server and wait a few seconds for a reply of some kind. It
is possible, that the server queried MIGHT be down at the moment. In *nix,
this query is allowed to wait five seconds before the resolver tries a
second query to a different server. If the second (and possible third)
query fails, the resolver again tries the "first" name server, and
this time waits twice as long - ten seconds. Is that a realistic
timeout for a firewall? Probably not, but it's a hint from people who
know how the Domain Name Service works.

Except in special circumstances, ALL DNS traffic uses UDP, which is a
connectionless protocol. At the protocol level, there is no indication
that a remote system has replied to you, and no indication to the remote
system that you received OR DID NOT RECEIVE a packet it sent. Thus, all
timeouts are handled by the _application_ and not the UDP network.

The other problem users never think about is that no name server knows
about all hosts. When your resolver "asks a question", the name server
you ask will look to see if it knows the answer (is the data cached).
If not, it has to ask from the root domain on down in a multi-step
process. The question "what is the address of FOO.BAR.BAZ.QUX.COM"
starts by asking one of the root servers - the reply comes back
".COM - ask the .com nameservers at [3 to 12 possible IP addresses]".
Your name server asks one of those, and gets told ".QUX.COM - ask the
qux.com name servers at [2 or more addresses]". Your name server asks
one of them, and is told to ask the .baz.qux.com nameservers at another
set of addresses - and when you finally find the addresses of the
..bar.baz.qux.com nameservers, THEY will tell you the IP address you have
been searching for. In this case, that's five UDP packet exchanges
that have to work. (In fact, most name servers have cached at least
many of the addresses of the top level name servers, so you can probably
skip that first query.)

Those users who are in domains like demon.co.uk, t-ipnet.de, tiscali.fr
and similar may realize that not all of the world is a .com or .net or
similar. In fact, there are 8 top-level domains with four letters (such
as .info or .arpa), 12 top-level domains with three letters (such as
..com or .edu), and 253 top-level domains of two letters. There are also
two (rarely used) top-level domains of SIX letters (.museum and .travel)
for a total of 275 top level domains in official Internet namespace.

>TCP connections are easier to handle for a filter because of flags and
>sequence numbers.

See RFC1035 - the header of a DNS query and response have a sequence
number in the first two octets of the query and response. These
so-called firewalls _could_ inspect those numbers if they wanted to,
but that's to much work. Likewise, this crap software screams about
attacks, and they _could_ do something to protect the user from
further attacks by simply blocking the "attacking" host for an hour or
two - wonder why the brane-ded a$$holes who create these programs didn't
implement that. Maybe they know they are lying when they report this
stuff as an attack. To bad the users don't understand the joke.

Old guy

Re: Netgear portscanning me?

Chuck wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Chuck wrote:
>>> Arguments? Sure. Any PC on your LAN that does not have a software
>>> firewall is vulnernable if any other machine gets infected with a
>>> WORM or gets hacked.
>>
>> So tell me: how did that other machine get hacked or infected with a
>> worm in the first place? And how does the software firewall protect
>> the ports you need to be open in your LAN? (because most certainly
>> any other port would be closed and thus not exploitable, wouldn't
>> it?)

These questions still stand.

[...]
>>> Remember that DNS corrupting worm from about 2 years ago?
>>
>> No. What "DNS corrupting worm" are you talking about?
[...]
> The OP was talking about a SOHO network with a single switch/router.
> One segment only. In such an environment double firewalling is
> essential if there is the possibility of an infected PC being added to
> the network.

I fail to see what kind of threat that "infected PC" would pose to
properly configured and patched systems on the same network segment.
Please elaborate.

> The worm I was referring to is documented here:
>
> http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/in dex.html
>
> I referred to it incorrectly as a DNS corrupting worm because in the
> environment where I work it was windows 2000 based DNS servers that
> were affected. The point however is still valid. If these servers had
> been properly firewalled they would not have been affected.

That was a Zotob variant. Microsoft released a patch for the exploited
vulnerability a week earlier, and filtering that crap at the network
boundary would most certainly have prevented an infection (see MS
Security Bulletin MS05-039 [1], section "Vulnerability Details"). I fail
to see any need for personal firewalls on any computer in the LAN
because of this.

[1] http://www.microsoft.com/technet/security/bulletin/MS05-039. mspx

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netgear portscanning me?

Chuck wrote:


> Arguments? Sure. Any PC on your LAN that does not have a software
> firewall is vulnernable if any other machine gets infected with a WORM
> or gets hacked.


Not mine, neither any I have configured. Why should it?

> Remember that DNS corrupting worm from about 2 years ago?

I don't remember running an unpatched Microsoft DNS server. I can only
remember running an always patched and well-secured BIND, and that's just
because of my special needs.

> An awful lot of network admins learned the hard way

> about double firewalling that day didn't they?


No, they didn't.

> A simple google of "is double firewalling a standard industry practice" returns
> over a million hits.


A search for "kill all jews" also returns over a million hits. You command, Sir!

Re: Netgear portscanning me?

Chuck wrote:

> Ansgar -59cobalt- Wiechers wrote:

> You've obviously not been in IT very long.


At any rate, it seems that if you have been in IT very long, you had a long
time doing wrong/stupid things.

Re: Netgear portscanning me?

Chuck wrote:


> The OP was talking about a SOHO network with a single switch/router. One
> segment only. In such an environment double firewalling is essential if
> there is the possibility of an infected PC being added to the network.


Now speak after me: - D M Z
- host pro tec tion

> If these servers had been
> properly firewalled they would not have been affected.


If these servers had been properly patched they would not have been affected.

Anyway, we'll try it again: - D M Z
- host pro tec tion
- I P sec

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)

Re: Netgear portscanning me?

On Thu, 06 Sep 2007 08:19:51 +0000, Juergen Nieveler wrote:

> Chuck wrote:
>
>> Double firewalling is standard industry practice. Do you disagree? If
>> so I hope you are not working as a network administrator.
>
> Host-based packet filters are usually only used on machines that
> sometimes get connected directly to the Internet (Laptops, usually).
>
> The only other instance of "double-firewalling" I know off in the
> industry is a firewall with a DMZ between two packet filters - not to be
> confused with any "desktop firewall".
>
> "Desktop firewalls" usually are a support nightmare, as they prevent IT
> from doing maintenance on the machines quite often (especially if the
> user managed to screw around with the rules again), and offer no real
> benefit for normal workstations.




Double firewalling (hardware + software) is recommended by US-CERT:


http://www.us-cert.gov/reading_room/HomeComputerSecurity/

http://www.cert.org/homeusers/goalof_computersecurity.html

http://www.us-cert.gov/reading_room/before_you_plug_in.html

Re: Netgear portscanning me?

john toynbee wrote:


> Double firewalling (hardware + software) is recommended by US-CERT:

The correct use of a proper hardware firewalling device like

http://www.knipex.de/index.php?id=783&L=0&grpID=24&ukat=kabe l07

makes any software definitely unneccessary.

Wolfgang

Re: Netgear portscanning me?

On Thu, 06 Sep 2007 14:56:56 +0200, Wolfgang Kueter wrote:

> john toynbee wrote:
>
>
>> Double firewalling (hardware + software) is recommended by US-CERT:
>
> The correct use of a proper hardware firewalling device like
>
> http://www.knipex.de/index.php?id=783&L=0&grpID=24&ukat=kabe l07
>
> makes any software definitely unneccessary.
>
> Wolfgang


nice joke, but, sorry, between your opinion and US-CERT opinion I prefer
the second.

John

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)

Re: Netgear portscanning me?

On Thu, 06 Sep 2007 19:31:34 +0000, Juergen Nieveler wrote:

> john toynbee wrote:
>
>> Double firewalling (hardware + software) is recommended by US-CERT:
>
> That links are for home users, though - not business users.
>
> Major difference.
>
> Juergen Nieveler


Yes, but is defense in depth less important for business users?
I think the contrary.
Moreover there are also the inside attacks.
At Last: National Security Agency (NSA)
“The 60 Minute Network Security Guide"
2006
www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1

Pag.12: "The following section addresses recommendations for securing
network perimeter routers and firewalls. These devices remain a first
line of defense that can serve to limit the access a potential adversary
has to an organization's network."

Pag.30: "Included in Windows XP Service Pack 2 and Windows Server 2003 is
Windows Firewall, a host-based firewall used to restrict unsolicited in-
bound traffic to a computer. Windows Firewall settings can be configured
locally on a host, or, preferably via Group Policy. The following are
recommendations regarding the use of Windows Firewall:
• Enable Windows Firewall.
• Windows Firewall configurations should be pushed down via Group
Policy within a domain if possible. In general, do not allow local
administrators to disable/enable the firewall or make changes"

John

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)

Re: Netgear portscanning me?

On Fri, 07 Sep 2007 12:08:46 +0000, Juergen Nieveler wrote:


>
> Also, speaking as somebody who had to roll out a centrally managed
> McAfee- Firewall - it's a hell of a lot of work to make sure that a) the
> firewall works, b) the user cannot tamper with it, and c) everything
> else still works, too...

Aha, this is the real problem!

John

Re: Netgear portscanning me?

john toynbee wrote:
> Yes, but is defense in depth less important for business users?

Defense in depth does not imply using "Personal Firewalls". It should
imply configuring machines so, that firewalls are not neccessary at all,
and then afterwards filtering at the network boundery additionally.

> Pag.30: "Included in Windows XP Service Pack 2 and Windows Server 2003 is
> Windows Firewall, a host-based firewall used to restrict unsolicited in-
> bound traffic to a computer. Windows Firewall settings can be configured
> locally on a host, or, preferably via Group Policy. The following are
> recommendations regarding the use of Windows Firewall:
> ? Enable Windows Firewall.
> ? Windows Firewall configurations should be pushed down via Group
> Policy within a domain if possible. In general, do not allow local
> administrators to disable/enable the firewall or make changes"

The Windows-Firewall can be used for Windows, because Windows has the
design flaw to offer network services even if none are wanted to be
there.

It's the second best option compared with shutting down unwanted
services. Unfortunately it's second best because there are attacks
possible with a packet filter, which are not possible if there is
no such service.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)

Re: Netgear portscanning me?

On Sat, 08 Sep 2007 19:31:17 +0000, Juergen Nieveler wrote:

> john toynbee wrote:
>
>>> Also, speaking as somebody who had to roll out a centrally managed
>>> McAfee- Firewall - it's a hell of a lot of work to make sure that a)
>>> the firewall works, b) the user cannot tamper with it, and c)
>>> everything else still works, too...
>>
>> Aha, this is the real problem!
>
> Yep. But I intend to solve this, as soon as I've finished calculating
> Pi, feed the whole world, stop global warming and stop all wars ;-)


Would it not be more simple to change the firewall brand? :-)

I advise you to read this:

"Firewalls can help or hurt, so plan carefully"
http://searchwinit.techtarget.com/
originalContent/0,289142,sid1_gci1121674,00.html

and

"Firewalls: Friend or Foe?"
http://staff.washington.edu/gray/papers/fff.html


John

Re: Netgear portscanning me?

Post removed (X-No-Archive: yes)