In article <35KMl.23466$Rf7.17660@newsfe21.iad>, spam9999free@rrohio.com
says...
> Path: news.astraweb.com!border1.newsrouter.astraweb.com! npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
> From: "Leythos" <spam9999free@rrohio.com>
> Newsgroups: microsoft.public.windowsxp.general
> References: <#2gS5#zzJHA.4116@TK2MSFTNGP04.phx.gbl> <004bdcc4$0$14705$c3e8da3@news.astraweb.com> <7gJMl.25461$BZ3.21524@newsfe12.iad>
> In-Reply-To: <7gJMl.25461$BZ3.21524@newsfe12.iad>
> Subject: Re: firewall test and NAT- Another Impersonation by Butts
> Lines: 20
> MIME-Version: 1.0
> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
> X-Antivirus-Status: Clean
> Message-ID: <35KMl.23466$Rf7.17660@newsfe21.iad>
> X-Complaints-To: abuse@teranews.com
> NNTP-Posting-Date: Thu, 07 May 2009 23:24:47 UTC
> Organization: TeraNews.com
> Date: Thu, 7 May 2009 16:24:41 -0700
>
> In article <7gJMl.25461$BZ3.21524@newsfe12.iad>, spam9999free@rrohio.com
> says...
> >
> > Forget my last post I was wrong, you need to format your hd and reinstall
> > windows.
>
>
> The above post was not by Leythos, it was a faked post and shows the
> lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
>

And the headers prove another impersonation by the resident unethical
hack.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

In article <n6KMl.23467$Rf7.13752@newsfe21.iad>, spam9999free@rrohio.com
says...
> Path: news.astraweb.com!border2.newsrouter.astraweb.com! indigo.octanews.net!news-out.octanews.net!teal.octanews.net!nx01.iad01.news hosting.com!newshosting.com!69.16.185.16.MISMATCH! npeer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
> From: "Leythos" <spam9999free@rrohio.com>
> Newsgroups: microsoft.public.windowsxp.general
> References: <#2gS5#zzJHA.4116@TK2MSFTNGP04.phx.gbl> <004bdcc4$0$14705$c3e8da3@news.astraweb.com> <7gJMl.25461$BZ3.21524@newsfe12.iad>
> In-Reply-To: <7gJMl.25461$BZ3.21524@newsfe12.iad>
> Subject: Re: firewall test and NAT- Another Impersonation by Butts
> Lines: 17
> MIME-Version: 1.0
> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
> X-Antivirus-Status: Clean
> Message-ID: <n6KMl.23467$Rf7.13752@newsfe21.iad>
> X-Complaints-To: abuse@teranews.com
> NNTP-Posting-Date: Thu, 07 May 2009 23:26:11 UTC
> Organization: TeraNews.com
> Date: Thu, 7 May 2009 16:26:09 -0700
>
> In article <7gJMl.25461$BZ3.21524@newsfe12.iad>, spam9999free@rrohio.com
> says...
> >
> > Forget my last post I was wrong, you need to format your hd and reinstall
> > windows.
>
> The above post was not by Leythos, it was a faked post and shows the
> lack of ethics and lack of Honesty of Butts and his sock TrollBuster.
>

And the headers prove another impersonation by the resident unethical
hack.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

<snip>
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>
> NAT does not stop incoming requests called SYN (TCP) or
> state "New" (TCP or UDP). It only stops traffic not
> properly addressed to your internal network. Enough
> guessing and the bad guys will find you.

If that were to be true, every network in the universe would be no more,
Port probes are being performed 24/7 and have been for years.

The Client sends a SYN to the Server requesting a connection.
The Server sends back a SYN-ACK to the Client acknowledging the request.
The Client responds with an ACK and the connection is completed.

Port probes are looking for any open Port, and if they don't find one, they
move on to the next possible victim without ever responding with an ACK to
the Server. Without an ACK response from the Client, the Server will wait X
amount of time before sending another SYN-ACK, then again, and again, etc.
until it reaches it's max set of times to send. It's when a Sever is
overwhelmed with these Half-Open connections that it becomes a real issue.


--

Brian A. Sesko
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

ToddAndMargo wrote:
> John John - MVP wrote:
>> ToddAndMargo wrote:
>>> John John - MVP wrote:
>>>> ToddAndMargo wrote:
>>>>> Hi All,
>>>>>
>>>>> I would like to test my firewall, but have a NAT box
>>>>> between me and the various firewall tests I know
>>>>> of. Anyone know of a firewall test that shoots
>>>>> through NAT?
>>>>
>>>> NAT would be pretty useless if anything could just "shoot" through
>>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>>> the NAT box for your tests.
>>>>
>>>> John
>>>
>>> Hi John,
>>>
>>> The bad guys know all about NAT. And it is indeed useless
>>> as a firewall.
>>>
>>> The bad guys start with 192.168.0.0/24 and work their way
>>> up. Check your firewall logs, you will see SYN packet probes
>>> on it all the time: about 1/100 if you did not use NAT, but
>>> still enough to do damage. NAT is *not* a firewall -- it is
>>> a common misconception.
>>>
>>> I was hoping to way to test it without redoing anything
>>> on my network.
>>
>> I'm by no means any kind of expert on this but my understanding about
>> NAT is that it will only allow traffic in if the request for the
>> packets originated from within. You say that you have a "NAT box" I
>> assume that to be a router of sorts, check the documentation for your
>> router.
>>
>> John
>
> Hi John,
>
> It is a router.
>
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>


Assuming one is silly enough to leave that NAT router set to factory
defaults.....


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

Brian A. wrote:
> <snip>
>> The trouble with NAT is that the bad guys just slap their
>> guess as to what your internal off Internet address on
>> to their probe. They find you very quickly if your internal
>> off Internet address is 192.168.0.xxx. (Recommendation:
>> pick an internal address other than 192.168.0.0/24 or
>> 192.168.1.0/24.)
>>
>> NAT does not stop incoming requests called SYN (TCP) or
>> state "New" (TCP or UDP). It only stops traffic not
>> properly addressed to your internal network. Enough
>> guessing and the bad guys will find you.
>
> If that were to be true, every network in the universe would be no
> more, Port probes are being performed 24/7 and have been for years.
>
> The Client sends a SYN to the Server requesting a connection.
> The Server sends back a SYN-ACK to the Client acknowledging the request.
> The Client responds with an ACK and the connection is completed.
>
> Port probes are looking for any open Port, and if they don't find one,
> they move on to the next possible victim without ever responding with an
> ACK to the Server. Without an ACK response from the Client, the Server
> will wait X amount of time before sending another SYN-ACK, then again,
> and again, etc. until it reaches it's max set of times to send. It's
> when a Sever is overwhelmed with these Half-Open connections that it
> becomes a real issue.
>

Hi Brian,

You are correct. You are missing that the probe can include an
internal address as well as the required external address.

An unsuccessful sample attack on my machine for you:

kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0

Translation:
SRC is my NAT router (192.168.1.1) on my 1st Ethernet port

RST is a virtual machine (192.168.1.46) on my second Ethernet
port that has not run for over three weeks (currently off)

SYN is a SYN packet

The probe got right through my NAT router (and got stopped by my
software firewall). NAT is a good idea in a lot of ways.
And it does stop tons of state=new packets. But, as I have
shown, you can poke through it. It takes a lot more skill,
so it does cut way down on the bad guys attempt to probe
you. But it does not stop all unsolicited state=new probes.
This is why I am tell everyone that doubts me that
*NAT is not a firewall*.

-T

ToddAndMargo wrote:
> Brian A. wrote:
>> <snip>
>>> The trouble with NAT is that the bad guys just slap their
>>> guess as to what your internal off Internet address on
>>> to their probe. They find you very quickly if your internal
>>> off Internet address is 192.168.0.xxx. (Recommendation:
>>> pick an internal address other than 192.168.0.0/24 or
>>> 192.168.1.0/24.)
>>>
>>> NAT does not stop incoming requests called SYN (TCP) or
>>> state "New" (TCP or UDP). It only stops traffic not
>>> properly addressed to your internal network. Enough
>>> guessing and the bad guys will find you.
>>
>> If that were to be true, every network in the universe would be no
>> more, Port probes are being performed 24/7 and have been for years.
>>
>> The Client sends a SYN to the Server requesting a connection.
>> The Server sends back a SYN-ACK to the Client acknowledging the request.
>> The Client responds with an ACK and the connection is completed.
>>
>> Port probes are looking for any open Port, and if they don't find one,
>> they move on to the next possible victim without ever responding with
>> an ACK to the Server. Without an ACK response from the Client, the
>> Server will wait X amount of time before sending another SYN-ACK, then
>> again, and again, etc. until it reaches it's max set of times to
>> send. It's when a Sever is overwhelmed with these Half-Open
>> connections that it becomes a real issue.
>>
>
> Hi Brian,
>
> You are correct. You are missing that the probe can include an
> internal address as well as the required external address.
>
> An unsuccessful sample attack on my machine for you:
>
> kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
> WINDOW=8192 RES=0x00 SYN URGP=0
>
> Translation:
> SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
>
> RST is a virtual machine (192.168.1.46) on my second Ethernet
> port that has not run for over three weeks (currently off)
>
> SYN is a SYN packet
>
> The probe got right through my NAT router (and got stopped by my
> software firewall). NAT is a good idea in a lot of ways.
> And it does stop tons of state=new packets. But, as I have
> shown, you can poke through it. It takes a lot more skill,
> so it does cut way down on the bad guys attempt to probe
> you. But it does not stop all unsolicited state=new probes.
> This is why I am tell everyone that doubts me that
> *NAT is not a firewall*.

From where was the probe launched?

John

ToddAndMargo wrote:
> Brian A. wrote:
>> <snip>
>>> The trouble with NAT is that the bad guys just slap their
>>> guess as to what your internal off Internet address on
>>> to their probe. They find you very quickly if your internal
>>> off Internet address is 192.168.0.xxx. (Recommendation:
>>> pick an internal address other than 192.168.0.0/24 or
>>> 192.168.1.0/24.)
>>>
>>> NAT does not stop incoming requests called SYN (TCP) or
>>> state "New" (TCP or UDP). It only stops traffic not
>>> properly addressed to your internal network. Enough
>>> guessing and the bad guys will find you.
>>
>> If that were to be true, every network in the universe would be no
>> more, Port probes are being performed 24/7 and have been for years.
>>
>> The Client sends a SYN to the Server requesting a connection.
>> The Server sends back a SYN-ACK to the Client acknowledging the request.
>> The Client responds with an ACK and the connection is completed.
>>
>> Port probes are looking for any open Port, and if they don't find one,
>> they move on to the next possible victim without ever responding with
>> an ACK to the Server. Without an ACK response from the Client, the
>> Server will wait X amount of time before sending another SYN-ACK, then
>> again, and again, etc. until it reaches it's max set of times to
>> send. It's when a Sever is overwhelmed with these Half-Open
>> connections that it becomes a real issue.
>>
>
> Hi Brian,
>
> You are correct. You are missing that the probe can include an
> internal address as well as the required external address.
>
> An unsuccessful sample attack on my machine for you:
>
> kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
> LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
> WINDOW=8192 RES=0x00 SYN URGP=0
>
> Translation:
> SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
>
> RST is a virtual machine (192.168.1.46) on my second Ethernet
> port that has not run for over three weeks (currently off)
>
> SYN is a SYN packet
>
> The probe got right through my NAT router (and got stopped by my
> software firewall). NAT is a good idea in a lot of ways.
> And it does stop tons of state=new packets. But, as I have
> shown, you can poke through it. It takes a lot more skill,
> so it does cut way down on the bad guys attempt to probe
> you. But it does not stop all unsolicited state=new probes.
> This is why I am tell everyone that doubts me that
> *NAT is not a firewall*.

Let's forget the *NAT is not a firewall* business, this is not a
disputed point, we know that NAT is not a firewall but by its nature it
has firewall like qualities.

What we don't buy is your assertion that NAT is flimsy to the point
where it can be broken by the most simple scanning techniques, that
almost anything can just easily shoot through it. Many years ago when
NAT was designed the network engineers who put it together would have
had to have security in mind, they would have known about network
intrusions. These engineers knew that their design had to be robust
enough to keep the bad guys out, willingly or unwillingly it had to be
part of the design. If what you say is true NAT would not have made it
past the starting gate, the engineers would have presented their new
"baby" to the world and in less than 24 hours it would have been
completely hacked and the project would have fallen apart! There is
*absolutely* no way that NAT would have become accepted if it could have
been so easily broken, no one today would be using it, certainly
Microsoft's Internet Connection Sharing (ICS) would have never seen
daylight. Like Brian said, "probes are being performed 24/7 and have
been for years". If you log intrusion attempts the router log will
probably fill up rather quickly. Instead of logging at the router
perhaps you should use a third party firewall or a tool like Wireshark
and log on your computer on the inside of the NAT device and see what is
actually making it past the router to your computer.

I think that the point that you are leaving out of the picture is that
NAT only allows *solicited* traffic past the gate. It sort of works
like this:

"John John" sends a message to "ToddAndMargo", NAT forwards the message
and remembers this, it "waits" for a reply from ToddAndMargo and when
the reply arrives from ToddAndMargo NAT sends it to John John. While
NAT waits for solicited replies "TomDick&Harry" come by trying to send a
message to John John and NAT says: "John John didn't ask for anything
from "any Tom, Dick and Harry", NAT tells them to get lost and drops the
message, the unsolicited packets never make it any further than this.
Whether or not "any Tom, Dick and Harry" know that John John is home is
almost completely irrelevant, what matters is whether or not John John
invited them in, that invitation is next to impossible to fake!

NAT works like this:

*Outgoing Packet at the NAT*

The NAT will intercept this outgoing packet and create a port mapping
using the destination IP address (server), destination port, external IP
address of the NAT, external port, network protocol, and the internal IP
address and port from the client.

The NAT will maintain a table of these mappings, storing this port
mapping in the table. The external IP address and port are the public IP
address and port to be used by for this data traffic in place of the
internal client's IP address and port.

The NAT then "translates" the packet by swapping the source fields of
the packet from the private, internal IP address and port of the client
to the public, external IP address and port of the NAT.

The packet is then sent on the external network (the Internet) to
eventually reach the intended server.

*Incoming Packet at the NAT*

The NAT receives these packets from the server and compares them to its
table of port mappings. If the NAT finds a port mapping where the source
IP address, source port, destination port, and network protocol of the
incoming packet match the remote host IP address, remote port, external
port, and network protocol of the port mapping, the NAT will perform a
reverse translation. The NAT replaces the external IP address and
external port in the destination fields of the packet with the client’s
private IP address and internal port. This is an example of solicited
incoming traffic. The NAT silently discards unsolicited incoming traffic
that does not match a port mapping.

The NAT then sends the packet on the internal network to the client.

Overview of Network Address Translation (NAT) in Windows XP
http://technet.microsoft.com/en-us/l.../bb457077.aspx

You are leaving out the part about port mappings, router tables and
*unsolicited* requests from your intrusion scenario. Of course without
these NAT would be next to completely useless, such a flimsy and
completely insecure setup could never be exposed to the internet, you
would have to place a firewall between it and the internet. But NAT is
not designed in such a flimsy manner.

Of course this brings a catch 22 or a chicken or the egg kind of
dilemma. If NAT only allows solicited requests how can anything move
about, somewhere along the line someone has to accept an unsolicited
request. That is what your ISP does with its servers and expensive
border routers, these systems are designed to accept unsolicited
requests, they use different methods to keep the unwanted out, your ISP
may require you to logon to a server or it may only accept unsolicited
requests from known IP or MAC addresses. Without expensive border
routers and elaborate security setups anyone else has to punch holes in
NAT to allow it to pass unsolicited requests, you have to open ports in
the router. If your router is properly secured outsiders cannot open
ports or punch holes in it. And for your simple probes to make it
through masqueraded as solicited traffic they would have to actually
break in to the router and hack the mapping tables! The only other way
that I can think that one may make it in under the guise of solicited
traffic would be by way of a "Man in the middle" attack, not such an
easy thing to to. Much easier to send in malware and have it open holes
from the inside for you.

John

John John - MVP wrote:
> ToddAndMargo wrote:
>> Brian A. wrote:
>>> <snip>
>>>> The trouble with NAT is that the bad guys just slap their
>>>> guess as to what your internal off Internet address on
>>>> to their probe. They find you very quickly if your internal
>>>> off Internet address is 192.168.0.xxx. (Recommendation:
>>>> pick an internal address other than 192.168.0.0/24 or
>>>> 192.168.1.0/24.)
>>>>
>>>> NAT does not stop incoming requests called SYN (TCP) or
>>>> state "New" (TCP or UDP). It only stops traffic not
>>>> properly addressed to your internal network. Enough
>>>> guessing and the bad guys will find you.
>>>
>>> If that were to be true, every network in the universe would be no
>>> more, Port probes are being performed 24/7 and have been for years.
>>>
>>> The Client sends a SYN to the Server requesting a connection.
>>> The Server sends back a SYN-ACK to the Client acknowledging the request.
>>> The Client responds with an ACK and the connection is completed.
>>>
>>> Port probes are looking for any open Port, and if they don't find
>>> one, they move on to the next possible victim without ever responding
>>> with an ACK to the Server. Without an ACK response from the Client,
>>> the Server will wait X amount of time before sending another SYN-ACK,
>>> then again, and again, etc. until it reaches it's max set of times to
>>> send. It's when a Sever is overwhelmed with these Half-Open
>>> connections that it becomes a real issue.
>>>
>>
>> Hi Brian,
>>
>> You are correct. You are missing that the probe can include an
>> internal address as well as the required external address.
>>
>> An unsuccessful sample attack on my machine for you:
>>
>> kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1
>> DST=192.168.1.46 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP
>> SPT=1030 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>>
>> Translation:
>> SRC is my NAT router (192.168.1.1) on my 1st Ethernet port
>>
>> RST is a virtual machine (192.168.1.46) on my second Ethernet
>> port that has not run for over three weeks (currently off)
>>
>> SYN is a SYN packet
>>
>> The probe got right through my NAT router (and got stopped by my
>> software firewall). NAT is a good idea in a lot of ways.
>> And it does stop tons of state=new packets. But, as I have
>> shown, you can poke through it. It takes a lot more skill,
>> so it does cut way down on the bad guys attempt to probe
>> you. But it does not stop all unsolicited state=new probes.
>> This is why I am tell everyone that doubts me that
>> *NAT is not a firewall*.
>
> Let's forget the *NAT is not a firewall* business, this is not a
> disputed point, we know that NAT is not a firewall but by its nature it
> has firewall like qualities.
>
> What we don't buy is your assertion that NAT is flimsy to the point
> where it can be broken by the most simple scanning techniques, that
> almost anything can just easily shoot through it. Many years ago when
> NAT was designed the network engineers who put it together would have
> had to have security in mind, they would have known about network
> intrusions. These engineers knew that their design had to be robust
> enough to keep the bad guys out, willingly or unwillingly it had to be
> part of the design. If what you say is true NAT would not have made it
> past the starting gate, the engineers would have presented their new
> "baby" to the world and in less than 24 hours it would have been
> completely hacked and the project would have fallen apart! There is
> *absolutely* no way that NAT would have become accepted if it could have
> been so easily broken, no one today would be using it, certainly
> Microsoft's Internet Connection Sharing (ICS) would have never seen
> daylight. Like Brian said, "probes are being performed 24/7 and have
> been for years". If you log intrusion attempts the router log will
> probably fill up rather quickly. Instead of logging at the router
> perhaps you should use a third party firewall or a tool like Wireshark
> and log on your computer on the inside of the NAT device and see what is
> actually making it past the router to your computer.
>
> I think that the point that you are leaving out of the picture is that
> NAT only allows *solicited* traffic past the gate. It sort of works
> like this:
>
> "John John" sends a message to "ToddAndMargo", NAT forwards the message
> and remembers this, it "waits" for a reply from ToddAndMargo and when
> the reply arrives from ToddAndMargo NAT sends it to John John. While
> NAT waits for solicited replies "TomDick&Harry" come by trying to send a
> message to John John and NAT says: "John John didn't ask for anything
> from "any Tom, Dick and Harry", NAT tells them to get lost and drops the
> message, the unsolicited packets never make it any further than this.
> Whether or not "any Tom, Dick and Harry" know that John John is home is
> almost completely irrelevant, what matters is whether or not John John
> invited them in, that invitation is next to impossible to fake!
>
> NAT works like this:
>
> *Outgoing Packet at the NAT*
>
> The NAT will intercept this outgoing packet and create a port mapping
> using the destination IP address (server), destination port, external IP
> address of the NAT, external port, network protocol, and the internal IP
> address and port from the client.
>
> The NAT will maintain a table of these mappings, storing this port
> mapping in the table. The external IP address and port are the public IP
> address and port to be used by for this data traffic in place of the
> internal client's IP address and port.
>
> The NAT then "translates" the packet by swapping the source fields of
> the packet from the private, internal IP address and port of the client
> to the public, external IP address and port of the NAT.
>
> The packet is then sent on the external network (the Internet) to
> eventually reach the intended server.
>
> *Incoming Packet at the NAT*
>
> The NAT receives these packets from the server and compares them to its
> table of port mappings. If the NAT finds a port mapping where the source
> IP address, source port, destination port, and network protocol of the
> incoming packet match the remote host IP address, remote port, external
> port, and network protocol of the port mapping, the NAT will perform a
> reverse translation. The NAT replaces the external IP address and
> external port in the destination fields of the packet with the client’s
> private IP address and internal port. This is an example of solicited
> incoming traffic. The NAT silently discards unsolicited incoming traffic
> that does not match a port mapping.
>
> The NAT then sends the packet on the internal network to the client.
>
> Overview of Network Address Translation (NAT) in Windows XP
> http://technet.microsoft.com/en-us/l.../bb457077.aspx
>
> You are leaving out the part about port mappings, router tables and
> *unsolicited* requests from your intrusion scenario. Of course without
> these NAT would be next to completely useless, such a flimsy and
> completely insecure setup could never be exposed to the internet, you
> would have to place a firewall between it and the internet. But NAT is
> not designed in such a flimsy manner.
>
> Of course this brings a catch 22 or a chicken or the egg kind of
> dilemma. If NAT only allows solicited requests how can anything move
> about, somewhere along the line someone has to accept an unsolicited
> request. That is what your ISP does with its servers and expensive
> border routers, these systems are designed to accept unsolicited
> requests, they use different methods to keep the unwanted out, your ISP
> may require you to logon to a server or it may only accept unsolicited
> requests from known IP or MAC addresses. Without expensive border
> routers and elaborate security setups anyone else has to punch holes in
> NAT to allow it to pass unsolicited requests, you have to open ports in
> the router. If your router is properly secured outsiders cannot open
> ports or punch holes in it. And for your simple probes to make it
> through masqueraded as solicited traffic they would have to actually
> break in to the router and hack the mapping tables! The only other way
> that I can think that one may make it in under the guise of solicited
> traffic would be by way of a "Man in the middle" attack, not such an
> easy thing to to. Much easier to send in malware and have it open holes
> from the inside for you.
>
> John

Hi John,

You made me do a lot of research to double check myself. For
an online firewall check to shoot through NAT would require
a full out spoof attach. Not something a free firewall checking
service would consider doing.

NAT makes it very, very hard to break through, but not impossible.

Here is a good articles on NAT vulnerabilities:

http://www.velocityreviews.com/forum...g-hacked-.html
http://whirlpool.net.au/wiki/?tag=DSL_modemS02_04

I am also somewhat embarrassed as to not taking my own recommendations
as to not using 192.168.0.0/24, which I will change shortly.

What triggered my question is a customer who relies on NAT (only,
no firewall), and he is constantly getting tagged with one
v1rus or another. I am trying to get him off IE, get a
standardized decient antivirus, software firewall, and a *real*
firewall.

The reason I am suspicious of the NAT only router is the machines
that seem to get tagged are usually just sitting there not being used.
Not being used, as the users are afraid to use them -- threats
from the management and all. They are suppose to file a single
report once a day on the Internet. Otherwise, they just sit there.
(Sit there collecting v1ruses.)

I was looking for a way to show him he needed to upgrade to
a real firewall. I have been told that the SonicWALL TZ180 is
good. Any thoughts?

-T

In article <OaNoS8A0JHA.5764@TK2MSFTNGP04.phx.gbl>,
ToddAndMargo@invalid.com says...
> What triggered my question is a customer who relies on NAT (only,
> no firewall), and he is constantly getting tagged with one
> v1rus or another. I am trying to get him off IE, get a
> standardized decient antivirus, software firewall, and a *real*
> firewall.
>

NAT has nothing to do with him getting malware on his system.

With all of the issues that have been in the media, anyone getting
malware has just got to be stupid, at least for the most part.

If you want to secure a business, since they will never do the right
thing, at least with all my years of dealing with businesses....

Install a firewall that allows content filtering - block EXE, DLL,
etc... from all connections except the Server or a IT Admin's
workstation. You also AV/content filter SMTP, FTP, HTTP, HTTPS sessions
and you block all IN/OUT connections that are not explicitly needed for
business (which should be the standard for any firewall solution)

Install a managed, corporate type AV solution - like Symantec End Point
Protection - don't give users control of the settings or the ability to
disable it on their workstations.

Install IE settings via Group Policy that the users can't change...

Make all computer users LOCAL USERS, NOT Local Admins....

IE works fine, just make all updates automatic install.

With the above ideas and a little more, I've managed to secure networks
all over the USA and not had a single managed network compromised in my
entire history.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

ToddAndMargo wrote:
> John John - MVP wrote:
>> ToddAndMargo wrote:
>>> John John - MVP wrote:
>>>> ToddAndMargo wrote:
>>>>> Hi All,
>>>>>
>>>>> I would like to test my firewall, but have a NAT box
>>>>> between me and the various firewall tests I know
>>>>> of. Anyone know of a firewall test that shoots
>>>>> through NAT?
>>>>
>>>> NAT would be pretty useless if anything could just "shoot" through
>>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>>> the NAT box for your tests.
>>>>
>>>> John
>>>
>>> Hi John,
>>>
>>> The bad guys know all about NAT. And it is indeed useless
>>> as a firewall.
>>>
>>> The bad guys start with 192.168.0.0/24 and work their way
>>> up. Check your firewall logs, you will see SYN packet probes
>>> on it all the time: about 1/100 if you did not use NAT, but
>>> still enough to do damage. NAT is *not* a firewall -- it is
>>> a common misconception.
>>>
>>> I was hoping to way to test it without redoing anything
>>> on my network.
>>
>> I'm by no means any kind of expert on this but my understanding about
>> NAT is that it will only allow traffic in if the request for the
>> packets originated from within. You say that you have a "NAT box" I
>> assume that to be a router of sorts, check the documentation for
>> your router. John
>
> Hi John,
>
> It is a router.
>
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>
> NAT does not stop incoming requests called SYN (TCP) or
> state "New" (TCP or UDP). It only stops traffic not
> properly addressed to your internal network. Enough
> guessing and the bad guys will find you.
>
> NAT is *NOT* a firewall. You take you rear end in your hands
> if you rely on NAT to protect you from port probes.
>
> -T

You appear to be looking for an arguement here. First of all, if your
router is half-fast working, they'll never get a connect to you to even
see your internal IP.

I believe it was you intimated NAT was a firewall; so you reap what you
posted when people try to help you with your own words and apparent
understanding. There's a LOT more to it than NAT, and properly used, it
does do a pretty decent job of keeping drive-bys from ever even
realizing you're sitting there. I think you need to do a little more
research. Either that or you already know that you want to see as an
answer and want to insist on it.

Either way, you're wating ether IMO. Mental plonk imposed.

A well written response, Leythos. Except I'd say "ignorant" instead of
"stupid" in your second para, otherwise it's spot on IMO.
The reason I say ignorant is the main targets of the
spammer/scammer/social scoundrels often hook the newbie and
inexperienced who haven't yet encountered the problems or had anyone to
lead them to the right areas for Security. There are so many different
things for them to learn, even as they start to pick up on security,
they often go right on inviting the malware in. The anonymity of the
'net sucks.
Twayne



Leythos wrote:
> In article <OaNoS8A0JHA.5764@TK2MSFTNGP04.phx.gbl>,
> ToddAndMargo@invalid.com says...
>> What triggered my question is a customer who relies on NAT (only,
>> no firewall), and he is constantly getting tagged with one
>> v1rus or another. I am trying to get him off IE, get a
>> standardized decient antivirus, software firewall, and a *real*
>> firewall.
>>
>
> NAT has nothing to do with him getting malware on his system.
>
> With all of the issues that have been in the media, anyone getting
> malware has just got to be stupid, at least for the most part.
>
> If you want to secure a business, since they will never do the right
> thing, at least with all my years of dealing with businesses....
>
> Install a firewall that allows content filtering - block EXE, DLL,
> etc... from all connections except the Server or a IT Admin's
> workstation. You also AV/content filter SMTP, FTP, HTTP, HTTPS
> sessions and you block all IN/OUT connections that are not explicitly
> needed for business (which should be the standard for any firewall
> solution)
>
> Install a managed, corporate type AV solution - like Symantec End
> Point Protection - don't give users control of the settings or the
> ability to disable it on their workstations.
>
> Install IE settings via Group Policy that the users can't change...
>
> Make all computer users LOCAL USERS, NOT Local Admins....
>
> IE works fine, just make all updates automatic install.
>
> With the above ideas and a little more, I've managed to secure
> networks all over the USA and not had a single managed network
> compromised in my entire history.

In article <OjlIBgC0JHA.5288@TK2MSFTNGP03.phx.gbl>,
nobody@devnull.spamcop.net says...
> The reason I say ignorant is the main targets of the
> spammer/scammer/social scoundrels often hook the newbie and
> inexperienced who haven't yet encountered the problems or had anyone to
> lead them to the right areas for Security.
>

I disagree. I had a clients wife get an email from her "Bank" talking
about doing a security update and needing her to send them her
user/password and SSN to verify it. This person had been warned many
times, they had also been sent emails multiple times about these things,
they had even seen them in the past and then commented on them (from
other banks).... The news media even did an article on this same type of
threat a month before, it was one several channels and even in the news
paper.

We've all, and I mean everyone, know that this is a threat and common
method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
falling for it.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Leythos wrote:
> In article <OjlIBgC0JHA.5288@TK2MSFTNGP03.phx.gbl>,
> nobody@devnull.spamcop.net says...
>> The reason I say ignorant is the main targets of the
>> spammer/scammer/social scoundrels often hook the newbie and
>> inexperienced who haven't yet encountered the problems or had anyone
>> to lead them to the right areas for Security.
>>
>
> I disagree. I had a clients wife get an email from her "Bank" talking
> about doing a security update and needing her to send them her
> user/password and SSN to verify it. This person had been warned many
> times, they had also been sent emails multiple times about these
> things, they had even seen them in the past and then commented on
> them (from other banks).... The news media even did an article on
> this same type of threat a month before, it was one several channels
> and even in the news paper.
>
> We've all, and I mean everyone, know that this is a threat and common
> method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
> falling for it.

Hoo boy! Hard to argue with that, and in retrospect, I've come across
it myself just not to that extreme. That I know of anyway. Hope they
didn't lose their asses over it.
I do think however that it still fits the mold of the inexperienced,
although I can agree to disagree on that point. Hopefully she didn't
lose too much but got enough of a scare to remember it for next time!
But I certainly can't dispute the "stupid" part either.

Regards,

Twayne

In article <#ygddEE0JHA.4412@TK2MSFTNGP06.phx.gbl>,
nobody@devnull.spamcop.net says...
>
> Leythos wrote:
> > In article <OjlIBgC0JHA.5288@TK2MSFTNGP03.phx.gbl>,
> > nobody@devnull.spamcop.net says...
> >> The reason I say ignorant is the main targets of the
> >> spammer/scammer/social scoundrels often hook the newbie and
> >> inexperienced who haven't yet encountered the problems or had anyone
> >> to lead them to the right areas for Security.
> >>
> >
> > I disagree. I had a clients wife get an email from her "Bank" talking
> > about doing a security update and needing her to send them her
> > user/password and SSN to verify it. This person had been warned many
> > times, they had also been sent emails multiple times about these
> > things, they had even seen them in the past and then commented on
> > them (from other banks).... The news media even did an article on
> > this same type of threat a month before, it was one several channels
> > and even in the news paper.
> >
> > We've all, and I mean everyone, know that this is a threat and common
> > method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
> > falling for it.
>
> Hoo boy! Hard to argue with that, and in retrospect, I've come across
> it myself just not to that extreme. That I know of anyway. Hope they
> didn't lose their asses over it.
> I do think however that it still fits the mold of the inexperienced,
> although I can agree to disagree on that point. Hopefully she didn't
> lose too much but got enough of a scare to remember it for next time!
> But I certainly can't dispute the "stupid" part either.

She was lucky, I had just sent an email to clients about the increase in
FAKE BANK spam we were seeing and her Husband sent it home to her. She
called me and I had her call the Banks - they had already put a hold on
all of her accounts because of "suspicious" activity - she actually
provided them with her complete identity and account access. We sent the
information (complaint and email + headers) to the state's ATTY General
as well as the FBI. An interesting note: I traced the website and email
to a hacked server in Italy that was still online at the time.



--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

So tell me, why do you love pcbutts








"Leythos" <spam999free@rrohio.com> wrote in message
news:004a8755$0$24257$c3e8da3@news.astraweb.com...
> In article <#ygddEE0JHA.4412@TK2MSFTNGP06.phx.gbl>,
> nobody@devnull.spamcop.net says...
>>
>> Leythos wrote:
>> > In article <OjlIBgC0JHA.5288@TK2MSFTNGP03.phx.gbl>,
>> > nobody@devnull.spamcop.net says...
>> >> The reason I say ignorant is the main targets of the
>> >> spammer/scammer/social scoundrels often hook the newbie and
>> >> inexperienced who haven't yet encountered the problems or had anyone
>> >> to lead them to the right areas for Security.
>> >>
>> >
>> > I disagree. I had a clients wife get an email from her "Bank" talking
>> > about doing a security update and needing her to send them her
>> > user/password and SSN to verify it. This person had been warned many
>> > times, they had also been sent emails multiple times about these
>> > things, they had even seen them in the past and then commented on
>> > them (from other banks).... The news media even did an article on
>> > this same type of threat a month before, it was one several channels
>> > and even in the news paper.
>> >
>> > We've all, and I mean everyone, know that this is a threat and common
>> > method - Ignorance would be NOT KNOWING, "Stupid" is knowing and still
>> > falling for it.
>>
>> Hoo boy! Hard to argue with that, and in retrospect, I've come across
>> it myself just not to that extreme. That I know of anyway. Hope they
>> didn't lose their asses over it.
>> I do think however that it still fits the mold of the inexperienced,
>> although I can agree to disagree on that point. Hopefully she didn't
>> lose too much but got enough of a scare to remember it for next time!
>> But I certainly can't dispute the "stupid" part either.
>
> She was lucky, I had just sent an email to clients about the increase in
> FAKE BANK spam we were seeing and her Husband sent it home to her. She
> called me and I had her call the Banks - they had already put a hold on
> all of her accounts because of "suspicious" activity - she actually
> provided them with her complete identity and account access. We sent the
> information (complaint and email + headers) to the state's ATTY General
> as well as the FBI. An interesting note: I traced the website and email
> to a hacked server in Italy that was still online at the time.
>
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)