[Help] Router and IP Address

[+BudMan MVC]

Well said uni_fin, and I do agree with you on most of it. I just differ in advice I would give, I do not actively advise people to turn off their firewalls when they get a router, etc.. Unless there is issues with getting something to work on their local lan - that is being blocked by their firewall, or other local network issues that the FW could be an issue with. And if asked - I give my honest opinion, and that is I do not see the point in running one. And until I see atleast one possible exploit/hack that is not bug related to a specific device, etc.. then no I see no point in running it.

But I do actively suggest to people that they get behind a NAT router, I could really care less one brand over the other, etc.. But if you can afford highspeed access - you can afford a border device! Period end of story - and not doing so, is asking for trouble - even with a software firewall. I see software firewalls as 10 year old condoms (more likely get a hole than not, etc..). Better than not wearing anything - but is it even worth it?

And yes I will agree with you 110% - there is NO such thing as 100% security, once the box is connected to a network - more than likely there is someway into it, etc..

I see more issues from software firewalls, then any protection from them. Just look at this board - how many posts about this does not work, that does not work - I'm being hacked!!! (icmp packet, or plain old background traffic).

Yes I can understand to error on the side of caution - but there is a fine line between being secure, and wearing the tinfoil hat, and causing more harm than good.

Edited December 15, 2004 by BudMan

[El_Cu_Guy]

And yes I will agree with you 110% - there is NO such thing as 100% security, once the box is connected to a network - more than likely there is someway into it, etc..

If you know this, it makes good sense to run them in combination. However, should your network grow too large for administtration of software firewalls on each machine it's time to reconsider your options. In such cases having multiple firewall appliances provides that extra level of security. You should also choose firewalls from atleat 2 vendors. While learning 2 different interfaces can be annoying, if one is compromised the intruder must start all over again to get past the second.

I see more issues from software firewalls, then any protection from them. Just look at this board - how many posts about this does not work, that does not work - I'm being hacked!!! (icmp packet, or plain old background traffic).

Again you seem to believe that your situation is unique. While you may at no time put yourself in danger I'm sure those that you mentioned above most ceretainly do.

We have seen the enemy, and he is us

I see more issues from software firewalls, then any protection from them. Just look at this board - how many posts about this does not work, that does not work - I'm being hacked!!! (icmp packet, or plain old background traffic).

I'd like you to clarify what you mean by "plain old NAT router" It's seems from earlier posts that you mean this router to have some sort of SPI. The point I was making is that NAT alone is NOT the end all form of protection.

As for the one exploit I'll try not to give away too many details so as to get this one editted by a mod. I'll also PM this to Budman just in case.

An example of NAT exploit

Spoof attacks. NAT devices are especially susceptible to spoofing. Anyone with sufficient technical knowledge, using hacking tools freely available on the Internet, can put another user's IP address in the "From" (source) field of packets. Since NAT relies on analyzing addresses, false addresses compromise NAT devices easily.

Edited December 15, 2004 by El_Cu_Guy

[+BudMan MVC]

No in my opinion it does NOT make good sense to run them in combination - it is pointless, unless you have to treat your local network as hostile. It's like I said before, its like wearing 2 freaking rubbers.

And an I agree, there are quite a lot of people that do not practice safe computing - and as nice as it might be, there is NO software firewall product n the market that can protect them from themselves - this is not the point.

And I hear and read about NAT is easy to get around, oh take a couple of seconds to hack your NAT router, etc.. etc.. Dude - give me an example! Sure it is possible to spoof a packet, and have it look like it came from the internal network - do you know what the internal network is? Do you know that IP on the inside to target? What are you going to do with that packet, once you get it through the router? Give me an example of compromising my patched, virus scanning machine, not running any services - that does not take a dedicated attack by a an expirenced hacker, etc.. And dude these easy NAT exploits you mention, are on NAT routers gone by - any recent NAT router is more than likley not open to such easy attacks as spoofing the source address, etc..

There is a HUGE difference between a TARGETED attack against "YOU" that is done on purpose by an experienced hacker, and protection from the script kiddys, and JUNK floating around on the net, or other infected machines, etc.. Do you think your FREE copy of ZA is going to stop a dedicated attack against you?? Come on dude?

edit: To clarify something --> even if they do not specifically state they use SPI, they do have state tables, and if the inbound packet was not requested, it will not be forwarded, etc.. So saying you can just spoof the source IP and move your packet right through the Router, is highly unlikely - again, you would have to look at a specific router to know for sure, etc.. But highly unlikely on any recent hardware with up to date firmware, etc..

Edited December 15, 2004 by BudMan

[El_Cu_Guy]

There is a HUGE difference between a TARGETED attack against "YOU" that is done on purpose by an experienced hacker, and protection from the script kiddys, and JUNK floating around on the net, or other infected machines, etc.. Do you think your FREE copy of ZA is going to stop a dedicated attack against you?? Come on dude?

You keep wanting to restrict the playing field. Now you add that seasoned crackers are out of the game as well. Most script kiddies aren't going to invest a lot of time in trying to bust NAT although there are a few tools available. There are quite a few HAIBs that provide such utils. You just have to find them.

While I could also go into abusing udp nat tables, I'm sure I'll get yet another response pointing to old NAT routers despite the fact that it's a very real scenario and still quite valid even with newer routers.

As I mentioned most script kiddies aren't going to bother. They'll just hard crash the sucker, which causes many SOHO routers to reset to factory defaults.

[bReD]

This makes me think that you are one of those people that still believes the AlphaShield to be unhackable.

585101007[/snapback]

100% UNHACKABLE MONEY BACK GUARANTEE. If the original purchaser can prove they were hacked while using a properly installed AlphaShield, while AlphaGAP Technology was enabled, we will accept the return of the product and provide a full refund (with proof of purchase) or replace the product at your option. ( see ?Customer Remedies? below )

[merkava]

the windows xp sp2 asks you if you want to block or unblock a program requesting outside info. this actually helps plenty, my machine got hit by internet optimizer and a popup asked me if i should allow it to contact the outside so of course i said no and stopped it in its tracks

[+BudMan MVC]

You keep wanting to restrict the playing field.

585107404[/snapback]

Dude I am not restricting the playing field - I am just expanding on the details of the request. Which you have not provided.

I in NO way ever said that a NAT router (border device) is the end all of security devices. And I will be the first to agree with there is no such thing as 100% secure.

But in a realistic setup - say recent router (no older than 3 years - with latest firmware). How would that not be a realistic setup? Please give me one "REALISTIC" example of how a software firewall would provide me with any more protection than what is already provided by the border device.

I in no way expect it to protect me from a dedicated attack from a exp. hacker - and if you think your FREE ZA is going to protect you any more, your crazy.

We are NOT talking about the theory of hacking a NAT device, or what could be done - or how, etc.. we are talking about the need to run a software firewall along with a NAT device. Which unless you can give me 1 "REALISTIC" example of some known exploit, or worm, something that will get past my border device, and not be noticed by my virus scanner - and is not yet patched against. That does not include the user actually running some piece of code, etc.. Or some hacker guru with a grudge against you, etc..

Unless you can show this - as I said before, what is the point of running the software firewall? What is it protecting you against?? If you can not give me even "1" example - why should you waste the resources/time/money on running such software?

Now I can point you to all kinds of things a border device can protect you against, every worm out there - they never get to you machine to do anything, etc.. It protects you while you bring a newly formatted unpatched machine online, etc.. etc..

But being behind a border device, and not being a complete IDIOT - I just do not see the point of running one.

[El_Cu_Guy]

How would that not be a realistic setup? Please give me one "REALISTIC" example of how a software firewall would provide me with any more protection than what is already provided by the border device.

If the border device is compromised the software firewall will provide another layer of protection. Having both in SOHO networks is just plain good practice. I never said that it was 100% necessary (circumstances warrant different means of protection)

I in no way expect it to protect me from a dedicated attack from a exp. hacker - and if you think your FREE ZA is going to protect you any more, your crazy.

Definitely not. If I can take down or "own" your router I can most definitely compromise your LAN box. However, I will have a much more difficult time doing so and it will take me longer. This gives you plenty of time to track my movements and take action.

Which unless you can give me 1 "REALISTIC" example of some known exploit, or worm, something that will get past my border device, and not be noticed by my virus scanner - and is not yet patched against. That does not include the user actually running some piece of code, etc.. Or some hacker guru with a grudge against you, etc..

Hard crash your router. Not all routers are created equal. This is where manufacturers such as Linksys get a lot of acknowledgement. By default remote administration is disabled. If you flood the router with say a DoS attack there are a number of routers (especially those used in SOHO networks) which will hard crash and essentially default to factory settings. (admin >> blank password). As for getting to the lan box there's a number of methods I could use. For example if you look at my sig. I might make a somewhat accurate assumption that your LAN PCs addresses are in the 192.168.1.x range.

You can likely assume what the user will do or not do once the realize their PC will no longer connect. (hint: ipconfig/release and renew).

Penetration testing your own NAT

Edited December 16, 2004 by El_Cu_Guy

[El_Cu_Guy]

Oh yeah almost forgot:

100% UNHACKABLE MONEY BACK GUARANTEE. If the original purchaser can prove they were hacked while using a properly installed AlphaShield, while AlphaGAP Technology was enabled, we will accept the return of the product and provide a full refund (with proof of purchase) or replace the product at your option. ( see ?Customer Remedies? below )

I want my $$$ in US dollars not Canadian!!!!

[+BudMan MVC]

So your saying for my software firewall to be worth anything, besides causing me issues on local lan - slowing down my file xfers, causing config issues for communication between other trusted machines on my network, etc.. My border device has to fail! And a specific type of failure, where it still does NATing (cuz if it didn't - kind of hard to talk on the net with a private address) but forward all packets inbound to a specific box on my network. Yeah that is likely to happen ;)

How is a IPconfig /renew an assumable course of action? When my box behind my border device no longer connects to the net? Where does that make sense? Especially since I am static ;)

So your saying that the reason I need to run a software firewall - is that something/someone has to DOS my router, so that is fails and resets to factory default settings (which would then what allow my machine device to be admin's from the wan side with the default username and password) Which would depend on the specific make and model of the device, etc..

BTW - good link, have seen it before. Did you read the whole thread? Where they debate back and forth the ability to route a spoofed packet that says its from private address across the public net, etc..

On the off chance that my device fails, and decides to forward packets, but still do nating, etc... Or that it will be DOS'd and reset to default settings - that might allow for outside admin (pretty fancy worm there - to do all that)..

Sure seems like wearing a raincoat on a warm sunny day logic (cuz it might rain - they did give it a .02% chance you know), if you ask me.