Router
am 12.01.2008 18:23:21 von unknownAlthough I use only one computer. I would like to add a router for the
firewall protection.
Any specific suggestions?
Thanks for the help.
Although I use only one computer. I would like to add a router for the
firewall protection.
Any specific suggestions?
Thanks for the help.
Tom In Maine wrote:
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
Yes: reconsider this stupid idea
"Tom In Maine" wrote in message
news:sltho35gbdvfs3irt8n53hflf44ebhese9@4ax.com...
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
>
> Thanks for the help.
Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
you get one that meets the specs in the link for *What does a FW do.
Netgear makes an ICSA FW router, that will meet the specs.
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
In article
>Although I use only one computer. I would like to add a router for the
>firewall protection.
>
>Any specific suggestions?
>
>Thanks for the help.
I agree.
Any home broadband gateway that you can get on ebay or in the
dumpster will work.
Tom In Maine wrote:
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
..
..
I'll try to be a little more helpful than Sebastian.
If you are just using this computer for normal home use (I.E, no Top
Secret nuclear weapons documents, etc...), most of the routers you'll
find at Best Buy will be fine. If you don't have a laptop (and don't
plan on getting one soon), don't get a wireless router.
This will HELP protect you from 95% of the random internet trash out
there, like port scanners.
If a LIVE person really decides they want to break into your network,
a router won't be too tough to get through. You will still need to
practice good security on your PC. For example, don't store sensitive
iformation like account numbers or social security numbers on your hard
drive. Archive them to a CD-ROM. Don't make a list of all your
passwords to all the websites you go to and save it on your computer...
print it out, or archive it to a CD-ROM.
Sebastian will probably tell you that all you need to do is turn on
Windows Firewall. You should do this, too, but adding a router between
you and the Wild adds another layer of protection.
Its like your car. If you lock the doors, most thieves will move on
to a car that ISN'T locked.
On Sat, 12 Jan 2008 18:54:18 +0100, "Sebastian G."
wrote:
>Tom In Maine wrote:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
>
>Yes: reconsider this stupid idea
Thanks for your help. You can now put your head up your arse again.
On Sat, 12 Jan 2008 13:33:08 -0500, "Mr. Arnold"
>
>"Tom In Maine" wrote in message
>news:sltho35gbdvfs3irt8n53hflf44ebhese9@4ax.com...
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>>
>> Thanks for the help.
>
>Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
>you get one that meets the specs in the link for *What does a FW do.
>
>Netgear makes an ICSA FW router, that will meet the specs.
>
>http://www.vicomsoft.com/knowledge/reference/firewalls1.htm l
Thanks that was a very informative link.
On Sat, 12 Jan 2008 13:10:55 -0600, "Ryan P."
>Tom In Maine wrote:
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>.
>.
> I'll try to be a little more helpful than Sebastian.
>
> If you are just using this computer for normal home use (I.E, no Top
>Secret nuclear weapons documents, etc...), most of the routers you'll
>find at Best Buy will be fine. If you don't have a laptop (and don't
>plan on getting one soon), don't get a wireless router.
It will definitely be NOT wireless.
>
> This will HELP protect you from 95% of the random internet trash out
>there, like port scanners.
>
> If a LIVE person really decides they want to break into your network,
>a router won't be too tough to get through. You will still need to
>practice good security on your PC. For example, don't store sensitive
>iformation like account numbers or social security numbers on your hard
>drive. Archive them to a CD-ROM. Don't make a list of all your
>passwords to all the websites you go to and save it on your computer...
>print it out, or archive it to a CD-ROM.
All reasonable things that I do now. Thanks for enumerating them.
> Sebastian will probably tell you that all you need to do is turn on
>Windows Firewall. You should do this, too, but adding a router between
>you and the Wild adds another layer of protection.
I just ignored him.
> Its like your car. If you lock the doors, most thieves will move on
>to a car that ISN'T locked.
Excellent points.
Thank you very much.
In article
>On Sat, 12 Jan 2008 13:33:08 -0500, "Mr. Arnold"
>
>>
>>"Tom In Maine" wrote in message
>>news:sltho35gbdvfs3irt8n53hflf44ebhese9@4ax.com...
>>> Although I use only one computer. I would like to add a router for the
>>> firewall protection.
>>>
>>> Any specific suggestions?
>>>
>>> Thanks for the help.
>>
>>Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
>>you get one that meets the specs in the link for *What does a FW do.
>>
>>Netgear makes an ICSA FW router, that will meet the specs.
>>
>>http://www.vicomsoft.com/knowledge/reference/firewalls1.ht ml
>
>Thanks that was a very informative link.
>
Unless you run servers or do something else that is beyond the average
user's activity, you don't need any more of a firewall than NAT
translation gives you and every home router with more than one local
LAN jack gives you that.
Find someone that's gotten a WiFi router and has a wire-only router on
the shelf, somewhere.
Ryan P. wrote:
> If you are just using this computer for normal home use (I.E, no Top
> Secret nuclear weapons documents, etc...), most of the routers you'll
> find at Best Buy will be fine.
What about no router and no firewalling at all? Such things are utterly
pointless for normal home use, hence he should save his money and optionally
invest it in something he really needs or wants.
> This will HELP protect you from 95% of the random internet trash out
> there, like port scanners.
Who cares, as long as the rest 5% get through and will cause trouble?
> Sebastian will probably tell you that all you need to do is turn on
> Windows Firewall. You should do this, too, but adding a router between
> you and the Wild adds another layer of protection.
The router adds exactly zero protection.
> Its like your car. If you lock the doors, most thieves will move on
> to a car that ISN'T locked.
Except that a router doesn't add any security.
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
>
> Thanks for the help.
I'm using a Netgear WGR 614. Along with NAT it offers SPI (stateful packet
inspection), and the option turn off response to ping and UPnP. It does
support wireless, however the radio can be turned off if you don't need it.
If/when you do you can enable WPA2 encryption. This router only costs $39.
This is so affordable that I don't see the point of using a previous
generation router without the more advanced firewall options. JMHO of
course.
Am Sat, 12 Jan 2008 21:34:29 +0100 schrieb Sebastian G.:
> The router adds exactly zero protection.
>
>> Its like your car. If you lock the doors, most thieves will move on
>> to a car that ISN'T locked.
>
>
> Except that a router doesn't add any security.
I totally aggree with you Sebastian, the companies try to suggest security
is a drag and drop thing. As you can see these tactics helps to sell the
most crap.
cheers
In article
Burkhard Ott
>Am Sat, 12 Jan 2008 21:34:29 +0100 schrieb Sebastian G.:
>
>
>> The router adds exactly zero protection.
>>
>>> Its like your car. If you lock the doors, most thieves will move on
>>> to a car that ISN'T locked.
>>
>>
>> Except that a router doesn't add any security.
>
>I totally aggree with you Sebastian, the companies try to suggest security
>is a drag and drop thing. As you can see these tactics helps to sell the
>most crap.
>
>cheers
A router doesn't, but any home broadband gateway with more than one
RJ45 jack on the inside ever made is going to run NAT and NAT is a
drop-dead firewall for incoming connections.
That's exactly what the vast majority of retail computer users need as
a big part of a safe computing regime.
Al Dykes wrote:
> A router doesn't, but any home broadband gateway with more than one
> RJ45 jack on the inside ever made is going to run NAT and NAT is a
> drop-dead firewall for incoming connections.
Apparently you don't understand how NAT works. Dropping an incoming packet
is only done if others means of routing the packet fail:
- existing NAT states (denote that this can be triggered at the client)
- Layer 7 protocol helpers
- a DHCP's server knowledge about connected clients
- UPnP and network topology discovery
- guessing the most likely target (!)
> That's exactly what the vast majority of retail computer users need as
> a big part of a safe computing regime.
Nonsense. The vast majority abuses MSIE as a webbrowser, MSOE as a
newsreader, Windows Messenger as IM and Windows Media Player as media
player, and a router doesn't change anything about this trivial exploitability.
Tom In Maine writes:
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
Hi Tom,
Don't let Sebastian's cheery demeanor and pedantry over terminology
dissuade you from a good idea of some hardware based protection
between you and the internet. Right after he tells you that what you
propose is a bad idea, he'll be sure to tell you that the "firewall"
software that is currently the only thing keeping your computer from
unsolicited internet traffic is completely inadequate.
what's your budget? If "under $100" is the target, a lot of folks
have used the Linksys BEFSR41 (wired) or WRT54GL (includes wireless
functionality) to good success. Both include a stateful packet
inspection hardware based firewall. It's not a "real" firewall in the
way boxes costing several times this would be, but it's also largely a
plug and play effort versus spending a signficant portion of your week
learning to configure it.
Wired only:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124 001&Tpk=befsr41
Wireless as well, and the version that lets you grow into 3rd party
firmware if you ever decide to play with it:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124 190
Best Regards,
--
Todd H.
http://www.toddh.net/
Todd H. wrote:
> Tom In Maine writes:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
> Hi Tom,
>
> Don't let Sebastian's cheery demeanor and pedantry over terminology
> dissuade you from a good idea of some hardware based protection
> between you and the internet.
It's not pedantry that makes a router not a protection...
> Right after he tells you that what you
> propose is a bad idea, he'll be sure to tell you that the "firewall"
> software that is currently the only thing keeping your computer from
> unsolicited internet traffic is completely inadequate.
Nonsense. After all, unsolicited traffic should not be a problem at all -
conversely, if it is, then a firewall can't help either.
In article <5v0rhoF1jv7mcU1@mid.dfncis.de>, seppi@seppig.de says...
> Nonsense. After all, unsolicited traffic should not be a problem at all -
> conversely, if it is, then a firewall can't help either.
Except that most Windows users have computers that don't properly block
unsolicited traffic, and most are subject to very weak security
implementations.
A simple NAT router is protection against being reached by unsolicited
traffic and does a great job at it.
At the very least, a simple NAT router is the first line of defense for
home users.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:
> At the very least, a simple NAT router is the first line of defense for
> home users.
no, thats not true, with the router the net behind that device is not more
or less secure, think about the zombies in bot nets.
does all those user don't have nat router's? ;)
cheers
In article
Burkhard Ott
>Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:
>
>
>> At the very least, a simple NAT router is the first line of defense for
>> home users.
>
>no, thats not true, with the router the net behind that device is not more
>or less secure, think about the zombies in bot nets.
>does all those user don't have nat router's? ;)
>
>
Good point. A NAT router is just part of the safe computing toolbox.
If you don't keep your software patched and then you click on an evil
email or website, poof, you're a zombie.
You need ant-virus software. I also use and recommend the etc/hosts
file distributed by these good folks. It blocks mor ethan 7,000 sites
that are known to be evil in some way.
http://www.mvps.org/winhelp2002/hosts.htm
Anti-spyware gets run once in a while, too.
In article
postmaster@derith.de says...
> Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:
>
>
> > At the very least, a simple NAT router is the first line of defense for
> > home users.
>
> no, thats not true, with the router the net behind that device is not more
> or less secure, think about the zombies in bot nets.
> does all those user don't have nat router's? ;)
Think about how the NAT means that the bots out on the net can't reach
the machine behind the NAT.
Once a machine is compromised all bets are off, but we're not talking
about compromised machines, we're talking about how to best keep from
being compromised.
A NAT router will allow you to be unreachable while you install your OS,
while you do many things, from behind it, so that you can configure your
machine to be more secure.
The inbound barrier is a MUST HAVE solution.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Am Mon, 14 Jan 2008 10:39:55 -0500 schrieb Leythos:
> A NAT router will allow you to be unreachable while you install your OS,
depends on the router configuration, sometimes a firmware bug helps to
make your network reachable
> while you do many things, from behind it, so that you can configure your
> machine to be more secure.
it is the same security, if you download update files and your DNS is
poisened you think you installation is save...
> The inbound barrier is a MUST HAVE solution.
not really
cheers
In article
Burkhard Ott
>Am Mon, 14 Jan 2008 10:39:55 -0500 schrieb Leythos:
>
>> A NAT router will allow you to be unreachable while you install your OS,
>
>depends on the router configuration, sometimes a firmware bug helps to
>make your network reachable
>
>> while you do many things, from behind it, so that you can configure your
>> machine to be more secure.
>
>it is the same security, if you download update files and your DNS is
>poisened you think you installation is save...
>
>> The inbound barrier is a MUST HAVE solution.
>
>not really
When doing a fresh install, I have to be behind a firewall. I've seen
a new W2K machine infected via a viral probe minutes after it first
connected to the net, before the patches could be applied.
I've hooked up IP logging for attempts for incoming connections and
they pop up on a regular basis.
In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
and I install patches as soon as they come out. And I pray.
Al Dykes
> When doing a fresh install, I have to be behind a firewall.
You do? I simply need to pull the network plug. Before getting updates
it's sufficient to not provide any services on the external interface.
You can do that either by yourself if you're knowledgable enough, or you
can use the script from [1] or the program from [2].
I agree that it's probably more convenient to use a packet filtering
router instead, though.
> I've seen a new W2K machine infected via a viral probe minutes after
> it first connected to the net, before the patches could be applied.
That won't happen if the box doesn't have exploitable services available
on the external interface.
[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
[2] http://www.dingens.org/index.html.en
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
In article
Ansgar -59cobalt- Wiechers
>Al Dykes
>> When doing a fresh install, I have to be behind a firewall.
>
>You do? I simply need to pull the network plug. Before getting updates
>it's sufficient to not provide any services on the external interface.
>You can do that either by yourself if you're knowledgable enough, or you
>can use the script from [1] or the program from [2].
>
>I agree that it's probably more convenient to use a packet filtering
>router instead, though.
>
>> I've seen a new W2K machine infected via a viral probe minutes after
>> it first connected to the net, before the patches could be applied.
>
>That won't happen if the box doesn't have exploitable services available
>on the external interface.
>
>[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
>[2] http://www.dingens.org/index.html.en
>
It's much easier and safer to be behind a NAT box.
On 13 Jan 2008 19:30:05 -0600, comphelp@toddh.net (Todd H.) wrote:
>Tom In Maine writes:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
>Hi Tom,
>
>Don't let Sebastian's cheery demeanor and pedantry over terminology
>dissuade you from a good idea of some hardware based protection
>between you and the internet. Right after he tells you that what you
>propose is a bad idea, he'll be sure to tell you that the "firewall"
>software that is currently the only thing keeping your computer from
>unsolicited internet traffic is completely inadequate.
>
>what's your budget? If "under $100" is the target, a lot of folks
>have used the Linksys BEFSR41 (wired) or WRT54GL (includes wireless
>functionality) to good success. Both include a stateful packet
>inspection hardware based firewall. It's not a "real" firewall in the
>way boxes costing several times this would be, but it's also largely a
>plug and play effort versus spending a signficant portion of your week
>learning to configure it.
Thanks Todd.
I decided to go with a Netgear RP614.
Thank you and everyone else who responded with help.
adykes@panix.com (Al Dykes) writes:
> In article
> Ansgar -59cobalt- Wiechers
> >Al Dykes
> >> When doing a fresh install, I have to be behind a firewall.
> >
> >You do? I simply need to pull the network plug. Before getting updates
> >it's sufficient to not provide any services on the external interface.
> >You can do that either by yourself if you're knowledgable enough, or you
> >can use the script from [1] or the program from [2].
> >
> >I agree that it's probably more convenient to use a packet filtering
> >router instead, though.
> >
> >> I've seen a new W2K machine infected via a viral probe minutes after
> >> it first connected to the net, before the patches could be applied.
> >
> >That won't happen if the box doesn't have exploitable services available
> >on the external interface.
> >
> >[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
> >[2] http://www.dingens.org/index.html.en
> >
>
>
> It's much easier and safer to be behind a NAT box.
Yup.
--
Todd H.
http://www.toddh.net/
Al Dykes
> Ansgar -59cobalt- Wiechers
>> Al Dykes
>>> When doing a fresh install, I have to be behind a firewall.
>>
>> You do? I simply need to pull the network plug. Before getting
>> updates it's sufficient to not provide any services on the external
>> interface. You can do that either by yourself if you're knowledgable
>> enough, or you can use the script from [1] or the program from [2].
>>
>> I agree that it's probably more convenient to use a packet filtering
>> router instead, though.
>>
>>> I've seen a new W2K machine infected via a viral probe minutes after
>>> it first connected to the net, before the patches could be applied.
>>
>> That won't happen if the box doesn't have exploitable services
>> available on the external interface.
>
> It's much easier and safer to be behind a NAT box.
Easier? Yes. And if you re-read my post you'll probably notice that I
already wrote that.
Safer? Not really. Depending on the implementation of the router's
firmware it may not even be equally safe.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Al Dykes wrote:
> Good point. A NAT router is just part of the safe computing toolbox.
Since a NAT router doesn't provide any security by itself, I fail to see how
it could be part of a security concept. After all, NAT is supposed to
provide, not to limit connectivity (and the RFC explicitly states so).
> You need ant-virus software.
Need?
> I also use and recommend the etc/hosts file distributed by these good folks.
Which is about the most stupid suggestion of the month.
> Anti-spyware gets run once in a while, too.
Well, yeah, to show how incompetent it is. But where's the relation to
security? It's not like the output of such software would have any relevance
whatsoever.
Al Dykes wrote:
> When doing a fresh install, I have to be behind a firewall.
Huh? Why?
> I've seen a new W2K machine infected via a viral probe minutes
> after it first connected to the net, before the patches could be applied.
So what? After less than a second of running a configuration script you have
exactly zero open ports.
Even further, what about the packet filter facilities in Win2k? You have
IPFilter, RRAS firewall and IPsec.
> I've hooked up IP logging for attempts for incoming connections and
> they pop up on a regular basis.
So you're spamming yourself with useless log data?
> In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
> and I install patches as soon as they come out. And I pray.
Well, you should. Any of these are so well-suited to hose your system.
In article
says...
> Safer? Not really. Depending on the implementation of the router's
> firmware it may not even be equally safe.
And yet, every day, we see how the ignorant are protected from
themselves and their exploitable OS by just such simple devices as NAT
Routers.
Sure, the sun could explode on Wednesday, but, as long as they have a
NAT Router in front of their connection there is a very good chance that
their boxes won't be reached by unsolicited traffic.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Sebastian G. wrote:
>
> Even further, what about the packet filter facilities in Win2k? You have
> IPFilter, RRAS firewall and IPsec.
..
..
Admittedly, I'm not an expert by any means, but you have a history of
saying that software packet filters are easily circumvented, and is the
reason that all the software firewalls are useless?
Ryan P. wrote:
>> Even further, what about the packet filter facilities in Win2k? You have
>> IPFilter, RRAS firewall and IPsec.
>
> Admittedly, I'm not an expert by any means, but you have a history of
> saying that software packet filters are easily circumvented, and is the
> reason that all the software firewalls are useless?
The above are all host-based packet filters implemented purely in software
without any hardware acceleration. They are placed within the NDIS stack, so
they apply before the packets gets addressed to the applications which
requested ports/sockets. The work absolutely well for the mentioned scenario.
What they can't address reliably, and therefore don't even try to, is
filtering outbound traffic, especially not by application.
Maybe you also twisted it a bit because many other packet filter
implementations from other vendros, commonly known as the "personal
firewall" crap, are horrible error-prone implementations that can be easily
circumvented, abused and exploited, both on the network and application level.
In article
Ansgar -59cobalt- Wiechers
>Al Dykes
>> Ansgar -59cobalt- Wiechers
>>> Al Dykes
>>>> When doing a fresh install, I have to be behind a firewall.
>>>
>>> You do? I simply need to pull the network plug. Before getting
>>> updates it's sufficient to not provide any services on the external
>>> interface. You can do that either by yourself if you're knowledgable
>>> enough, or you can use the script from [1] or the program from [2].
>>>
>>> I agree that it's probably more convenient to use a packet filtering
>>> router instead, though.
>>>
>>>> I've seen a new W2K machine infected via a viral probe minutes after
>>>> it first connected to the net, before the patches could be applied.
>>>
>>> That won't happen if the box doesn't have exploitable services
>>> available on the external interface.
>>
>> It's much easier and safer to be behind a NAT box.
>
>Easier? Yes. And if you re-read my post you'll probably notice that I
>already wrote that.
>
>Safer? Not really. Depending on the implementation of the router's
>firmware it may not even be equally safe.
A NAT box set to factory defaults is perfect block for attempted
incoming connections.
Al Dykes wrote:
> A NAT box set to factory defaults is perfect block for attempted
> incoming connections.
For arbitrary stupid definitions of "perfect".
In message
>no, thats not true, with the router the net behind that device is not more
>or less secure, think about the zombies in bot nets.
>does all those user don't have nat router's? ;)
Most of the zombies on the market today were installed by a user.
Classic Trojan horse, no OS on the market is more or less secure against
a user with administrator/root rights and the will to use 'em.
In message
wrote:
>When doing a fresh install, I have to be behind a firewall. I've seen
>a new W2K machine infected via a viral probe minutes after it first
>connected to the net, before the patches could be applied.
Windows 2000, sure. In practice, with WinXP SP2 (and newer) that simply
hasn't been the case.
>In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
>and I install patches as soon as they come out. And I pray.
My condolences.
DevilsPGD wrote:
> Windows 2000, sure. In practice, with WinXP SP2 (and newer) that simply
> hasn't been the case.
Wrong. There's a patchable vulnerability in the TCP/IP stack, which,
depending on the router's implementation, might be exploitable from the
outside. However, the risk is very low, since it would require the attacker
to sit within your ISP's network infrastructure to bypass their ingress
filtering.
Al Dykes
> Ansgar -59cobalt- Wiechers
>> Al Dykes
>>> It's much easier and safer to be behind a NAT box.
>>
>> Easier? Yes. And if you re-read my post you'll probably notice that I
>> already wrote that.
>>
>> Safer? Not really. Depending on the implementation of the router's
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> firmware it may not even be equally safe.
>
> A NAT box set to factory defaults is perfect block for attempted
> incoming connections.
Either you didn't read, or you didn't understand what I wrote. Try
again.
You may also want to explain how that were safer than a box which simply
doesn't accept incoming connection attempts.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Am Tue, 15 Jan 2008 12:23:25 +0100 schrieb Sebastian G.:
> Wrong. There's a patchable vulnerability in the TCP/IP stack, which,
> depending on the router's implementation, might be exploitable from the
> outside. However, the risk is very low, since it would require the attacker
you probably mean that?
http://www.securityfocus.com/bid/27100
In article
says...
> You may also want to explain how that were safer than a box which simply
> doesn't accept incoming connection attempts.
You may want to explain how you get a box, used by the ignorant masses,
the uneducated idiots, the 90% of the people that use a Windows PC, to
not accept inbound connections.....
Face it, a NAT router is going to be a better security implementation
than what the masses have the ability to do on their own.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
"Sebastian G."
> Al Dykes wrote:
>
>
> > When doing a fresh install, I have to be behind a firewall.
>
> Huh? Why?
http://isc.sans.org/survivaltime.html
If you'd rather rely on running a configuration script (it'd be
instructive to post one that you feel works for peer review) and hope
you have interactive control of the system in time while it boots in
order to turn off these services, and rely on the remaining OS's TCPIP
stack to be bulletproof, that's your choice.
Others (myself included) would be a lot more comfortable with the more
robust layered defense approach of filtering inbound network traffic
at the perimeter with a separate device.
Best Regards,
--
Todd H.
http://www.toddh.net/
"Sebastian G."
> Al Dykes wrote:
>
>
> > Good point. A NAT router is just part of the safe computing toolbox.
>
> Since a NAT router doesn't provide any security by itself, I fail to
> see how it could be part of a security concept. After all, NAT is
> supposed to provide, not to limit connectivity (and the RFC explicitly
> states so).
As you know, but conveniently omit from teh discussion, every home
gateway seems to implement NAT in addition to stateful packet
inspection ingress filtering.
No, they do not limit outbound access at all, so once an internal host
is compromised, they don't do anything for ya.
> > You need ant-virus software.
>
> Need?
Coal miners didn't "need" canaries in their mines, but they made the
work environment a bit easier to abandon and remediate when/if the
canaries keeled over.
> > I also use and recommend the etc/hosts file distributed by these
> > good folks.
>
> Which is about the most stupid suggestion of the month.
Please, regale us of your contrarian reasoning for this.
It's actually something I think is a decent approach, so long as one
reviews the list to make sure nothing untoward is going on.
> > Anti-spyware gets run once in a while, too.
>
> Well, yeah, to show how incompetent it is. But where's the relation to
> security? It's not like the output of such software would have any
> relevance whatsoever.
See canary analogy above.
Best Regards,
--
Todd H.
http://www.toddh.net/
Todd H. wrote:
> As you know, but conveniently omit from teh discussion, every home
> gateway seems to implement NAT in addition to stateful packet
> inspection ingress filtering.
And NAT by itself doesn't provide any security.
> No, they do not limit outbound access at all, so once an internal host
> is compromised, they don't do anything for ya.
The typical collusion that one can trigger NAT states from the client side
without compromising the host due to bad protocol parsers, header injection,
command injection,Java or Flash, it's once anything a clear statement
against NAT.
> Coal miners didn't "need" canaries in their mines, but they made the
> work environment a bit easier to abandon and remediate when/if the
> canaries keeled over.
Which is about the description of a host-based intrusion detection system.
Indeed, that's what virus scanners might be good for, but that's clearly
distinct from protection or necessity.
>>> I also use and recommend the etc/hosts file distributed by these
>>> good folks.
>> Which is about the most stupid suggestion of the month.
>
> Please, regale us of your contrarian reasoning for this.
Well, let's see... aside from breaking DNS, breaking DNS caching, slowing
down the system, and the trivial fact that the HOSTS file is not writable
for any user, it faces three big disadvantages:
1. quite some application use SOCKOPT_NO_HOSTS, which totally voids the effect
2. it interferes with all application for any user on the machine, not the
just the ones where it's needed
3. it's the most inefficient and furtile way to do filtering by hostname. It
doesn't provide any wildcards, RegExps or just hostname collation, and the
"bad guys" trivially circumvent it with wildcards in the own DNS servers,
allowing them to use randomly generated subdomains like
"dsjklasjkhdbasajkghdkgsajhdgjhsagdjhg.malware.org", which surely no sane
list of hostnames could ever address.
> It's actually something I think is a decent approach, so long as one
> reviews the list to make sure nothing untoward is going on.
Oh well, that's another big disadvantage...
>> Well, yeah, to show how incompetent it is. But where's the relation to
>> security? It's not like the output of such software would have any
>> relevance whatsoever.
>
> See canary analogy above.
Well, just that the analogy doesn't hold. The output of the typical
"anti-spyware" crap is absolutely useless, both in sense of false positives
and false negatives.
Sorry, but if it shows me 50+ string warnings on a perfectly clean system,
and some of these even turn out to be implemented security configurations,
it's obviously broken. If it tries to write 5000+ CLSID entries into HKLM,
fails due to missing permissions, and then suggests to try again over and
over, it's so obviously broken. If it shows an empty GUI due to expecting a
non-guaranteed DLL, it's horribly broken. And that's really just the tip of
the ice berg.
In article <5v4ggpF1kcd4kU1@mid.dfncis.de>,
Sebastian G.
>Todd H. wrote:
>
>> As you know, but conveniently omit from teh discussion, every home
>> gateway seems to implement NAT in addition to stateful packet
>> inspection ingress filtering.
>
>
>And NAT by itself doesn't provide any security.
>
That statement is wrong.
Todd H. wrote:
> "Sebastian G."
>
>> Al Dykes wrote:
>>
>>
>>> When doing a fresh install, I have to be behind a firewall.
>> Huh? Why?
>
> http://isc.sans.org/survivaltime.html
>
>
> If you'd rather rely on running a configuration script
That's exactly why the firewall isn't needed.
> (it'd be instructive to post one that you feel works for peer review)
http://ntsvcfg.de/ntsvcfg_eng.html
> and hope you have interactive control of the system in time while it boots
> in order to turn off these services,
Hm? First you turn of the services, then you plug in the jack and configure
the connection.
> Others (myself included) would be a lot more comfortable with the more
> robust layered defense approach of filtering inbound network traffic
> at the perimeter with a separate device.
Others, including myself, have downloaded the patches on another machine and
transferred them to the potentially vulnerable machine via LAN, removable
media, etc. to install them without having a connection to the internet.
Burkhard Ott wrote:
>> Wrong. There's a patchable vulnerability in the TCP/IP stack, which,
>> depending on the router's implementation, might be exploitable from the
>> outside. However, the risk is very low, since it would require the attacker
>
> you probably mean that?
> http://www.securityfocus.com/bid/27100
Na, rather
problem is not exploitable by default, and can be easily worked around.
Al Dykes wrote:
>> And NAT by itself doesn't provide any security.
>>
> That statement is wrong.
Yes, it's so wrong that it's even written in the RFC that defines NAT...
In article <5v4j5kF1ksjnuU1@mid.dfncis.de>, seppi@seppig.de says...
> Al Dykes wrote:
>
>
> >> And NAT by itself doesn't provide any security.
> >>
> > That statement is wrong.
>
> Yes, it's so wrong that it's even written in the RFC that defines NAT...
NAT in a 1:1 solution does not provide any security at all.
NAT in a 1:MANY provides great unsolicited inbound protection.
Almost every implementation of NAT in home/SOHO appliances is defaulted
to 1:MANY NAT - so it does provide a great level of inbound security.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
On 15 Jan 2008 09:42:06 -0600, comphelp@toddh.net (Todd H.) wrote:
>"Sebastian G."
>> Al Dykes wrote:
>>
>> > Good point. A NAT router is just part of the safe computing toolbox.
>>
>> Since a NAT router doesn't provide any security by itself, I fail to
>> see how it could be part of a security concept. After all, NAT is
>> supposed to provide, not to limit connectivity (and the RFC explicitly
>> states so).
>
>As you know, but conveniently omit from teh discussion, every home
>gateway seems to implement NAT in addition to stateful packet
>inspection ingress filtering.
>
>No, they do not limit outbound access at all, so once an internal host
>is compromised, they don't do anything for ya.
One wonders if there might be some underlying reason for Sebastian G.
(and others, most, surprisingly, with .de domains) to promote that
users leave their computers open to most access while on the net.
Perhaps it's that this would make their "job" much easier. But, that
is just speculation.
On the other hand, maybe they are just militant linux advocates and
have already taught their grandmothers the intricasies of Linux
security administration and just don't understand why your grandmother
can't learn too -- or just get off the net.
On Jan 16, 10:29 am, Jaap Hilversum
> One wonders if there might be some underlying reason for Sebastian G.
> (and others, most, surprisingly, with .de domains) to promote that
> users leave their computers open to most access while on the net.
He does not say so. He never said you should leave computers open to
access. But there is little benefit relying on additional hardware or
software to achieve something which you could achieve simply by
closing whatever would be open.
A software firewall adds a lot of complexity, code lines (containing
bugs), configuration issues (which user is really able to configure a
software firewall correctly) to a computer.
A NAT router adds additional in regard to complexity and does not add
reliable security due to various shortcomings in NAT which are
inevitable.
And all that to cover up some open ports which you could simply close
by turning off unnecessary services? Stopping unnecessary services
reduces complexity. The computer runs less code. Thus there are less
bugs. And without software firewall the computers runs definitively
much faster. And you can run the computer very well directly connected
to the internet. Without open ports there is nothing someone from the
internet could connect to. And you don't have to filter ICMP pings and
other messages to achieve 'pseudo stealth'.
But, well, most people seem to prefer to put fat stupid security
guards in front of their unlocked doors instead of simply locking the
door. It seems to be easier to buy a guard then to learn how to lock
the door which must be terribly complicated to learn and people don't
want to learn about security that's why they rely on the stupid guard
which is fooled so quickly.
Gerald
Leythos wrote:
> In article
> says...
>> You may also want to explain how that were safer than a box which simply
>> doesn't accept incoming connection attempts.
>
> You may want to explain how you get a box, used by the ignorant masses,
> the uneducated idiots, the 90% of the people that use a Windows PC, to
> not accept inbound connections.....
>
> Face it, a NAT router is going to be a better security implementation
> than what the masses have the ability to do on their own.
>
..
..
This is where Sebastian and the like-thinkers say that such people
should not be allowed access to the 'net.
On Jan 16, 12:14 pm, "Ryan P."
wrote:
> This is where Sebastian and the like-thinkers say that such people
> should not be allowed access to the 'net.
Well, wait until terrorists effectively use hacked computers of the
average ignorant computer user for communication and other purposes
and the U.S. will introduce mandatory computer user license tests
before you are allowed to use a PC or the internet and will force the
rest of the world to do the same. Have a computer hacked to spread
child porn is not so important. But the war on terror will justify
everything... ;-)
Gerald
Am Tue, 15 Jan 2008 17:29:51 -0800 schrieb Jaap Hilversum:
> One wonders if there might be some underlying reason for Sebastian G.
> (and others, most, surprisingly, with .de domains) to promote that
> users leave their computers open to most access while on the net.
>
> Perhaps it's that this would make their "job" much easier. But, that
> is just speculation.
No, the statement is: "You are not safer with a flashbox in your
background" or better with the words of Bruce Schneier "Security is a
process not a product".
It has nothing to do with linux, unix or windows is safer, even with a
self made solution you are not totally safe but there is nobody who tells
you that. Companies which sell the fancy flashboxes tell that crap and the
most peoples believe them by clicking the anti hacker option in his router
at the same time with this click the brain is out of order because the
already clicked in the anti hacker button.
I guess you know what I mean.
cheers
Am Tue, 15 Jan 2008 20:41:38 -0800 schrieb Gerald Vogt:
> Well, wait until terrorists effectively use hacked computers of the
> average ignorant computer user for communication and other purposes
> and the U.S. will introduce mandatory computer user license tests
> before you are allowed to use a PC or the internet and will force the
> rest of the world to do the same. Have a computer hacked to spread
> child porn is not so important. But the war on terror will justify
> everything... ;-)
>
> Gerald
But think about Germany, we do the same thing :(.
In article
> He never said you should leave computers open to
> access. But there is little benefit relying on additional hardware or
> software to achieve something which you could achieve simply by
> closing whatever would be open.
And yet we know, at least any of us that have been around for any real
length of time, that users are not going to close those ports, services,
secure their machines - they treat their computers like can-openers,
they just blindly use them as they shipped.
A NAT Router (1:MANY) provides a level of protection that all unsecured
machines can benefit from and requires no understanding or changing of
the OS - and it works with ALL OS platforms.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Jaap Hilversum wrote:
> One wonders if there might be some underlying reason for Sebastian G.
> (and others, most, surprisingly, with .de domains) to promote that
> users leave their computers open to most access while on the net.
Nonsense. I promote implementing actual security measures instead of
half-assly trying to threat symptomes.
> On the other hand, maybe they are just militant linux advocates and
> have already taught their grandmothers the intricasies of Linux
> security administration
Personally, I would never use Linux, except Linux-from-the-scratch on
embedded systems.
Burkhard Ott wrote:
> Am Tue, 15 Jan 2008 20:41:38 -0800 schrieb Gerald Vogt:
>
>> Well, wait until terrorists effectively use hacked computers of the
>> average ignorant computer user for communication and other purposes
>> and the U.S. will introduce mandatory computer user license tests
>> before you are allowed to use a PC or the internet and will force the
>> rest of the world to do the same. Have a computer hacked to spread
>> child porn is not so important. But the war on terror will justify
>> everything... ;-)
>>
>> Gerald
>
> But think about Germany, we do the same thing :(.
..
..
Everybody in power does the same thing. How many liberal politicians
endorse the banning of books from school libraries that don't match
their current world-view? (And I'm not talking about porn)
Am Wed, 16 Jan 2008 12:06:23 -0600 schrieb Ryan P.:
>> But think about Germany, we do the same thing :(.
> .
> .
> Everybody in power does the same thing. How many liberal politicians
> endorse the banning of books from school libraries that don't match
> their current world-view? (And I'm not talking about porn)
Unfortunately you're totally right, in the past the burned the books here.
Lets see what the future brings.
But I actually doesn't like the phrase like: 'in the evil US they do that
and these', it's the same thing around the world.
Like you say everybody in power...
(but is has nothing to do with flashboxes ;)
cheers
>
> Personally, I would never use Linux, except Linux-from-the-scratch on
> embedded systems.
So tell us... what great OS does the almighty know it all Sebastian G
use and how does he secure his home network?
slackerama wrote:
>> Personally, I would never use Linux, except Linux-from-the-scratch on
>> embedded systems.
>
> So tell us... what great OS does the almighty know it all Sebastian G
> use
On the home computer, I'm sadly urged to run Windows XP. On my own machine,
I run OpenBSD. On the machines I'm administrating, we have Windows 2000,
Windows XP, Debian Linux, FreeBSD, Solaris.
> and how does he secure his home network?
Hm... not at all? Since there's no necessity, the clients are all well secured.