Hardening Win 2K Pro

[null]

Unless you explicitly forward the ports, though, any incoming setup
packets will just be dropped and are therefore not the risk you
suggested.

So you're saying my hardened machines don't need the firewall?

The same reason it is more secure to work behind the router than to
connect your 'hardened' machine directly to the Internet.

I fail to see why. Incoming packets to closed ports are dropped aren't
they? It's always best to disable all unnecessary/unwanted services.

There is the issue of stack overrun vulnerabilites that unpatched Win
98 has. But even that is unlikely to cause problems in the short time
it takes to download and install critical patches. I ran the PCFlank
Exploits test on patched '98 and 'ME machines, as well as Win 2K Pro,
and they come through fine.

Art



http://home.epix.net/~artnpeg

 

[James Egan]

So you're saying my hardened machines don't need the firewall?

Yes.

It could be useful if you do some port forwarding and then want to
restrict access to (say) a range of external ip's but in your current
situation the router's not dropping anything which wouldn't be dropped
anyway if the firewall was disabled.

I fail to see why. Incoming packets to closed ports are dropped aren't
they? It's always best to disable all unnecessary/unwanted services.

I'm not saying your machine isn't secure. Only that it's better not to
receive any unwanted packets at the business end than to filter them
out. I would still use the router even with a single pc.


Jim.

 

[Bob]

I'm not saying your machine isn't secure. Only that it's better not to
receive any unwanted packets at the business end than to filter them
out. I would still use the router even with a single pc.

There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.

If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.

There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.

I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Duane Arnold]

There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.

That's if you have not open ports on the router using port forwarding. If
port forwarding or triggering is being used, then unsolicited inbound
packets can reach a machine. And since it's a NAT router, then most likely
it will not ensure that only the File Transfer Protocol comes down the FTP
ports rejecting all other protocols.

If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.

Malware can circumvent and defeat all of it particularly at system boot,
since Kerio is not an intergrated O/S component that can get to the TCP/IP
first at boot or its App Control can start to stop a program.

There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.

It's just everyday life on the Internet. It's good that you at least watch
the in/out traffic on your LAN. Wallwatcher could miss malware connections
too while the computer is booting before WW can start reporting router
traffic. I like WW and I use it too.

I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.

Attacks can be run against a NAT router. I have seen a couple of probes come
through at SQL Server like a hot knife through butter.

However, the NAT router is good for a home LAN by not forwading unsolicsted
inbound traffic and one is not doing high risk things like port triggering.

Duane

 

[kurt wismer]

Bob wrote:
[snip]

The number one defense is NAT. There is no reason to turn it off.

apparently someone doesn't understand the words coming out of my mouth
(errr keyboard, whatever)...

when you're debugging a connectivity problem there *IS* a reason to turn
it off - it might be the cause of the connectivity problem...

 

[Bob]

That's if you have not open ports on the router using port forwarding.

I have no ports forwarded. Road Runner blocks many ports so I can't
put a server on my machine anyway,

If port forwarding or triggering is being used, then unsolicited inbound
packets can reach a machine. And since it's a NAT router, then most likely
it will not ensure that only the File Transfer Protocol comes down the FTP
ports rejecting all other protocols.

It is my understanding that Linksys uses passive FTP.

Malware can circumvent and defeat all of it particularly at system boot,
since Kerio is not an intergrated O/S component that can get to the TCP/IP
first at boot or its App Control can start to stop a program.

Kerio does load well before anything else. I believe it gets around
the problem you described but I cannot offer any support for that
claim. This used to be a big issue with ZA until they fixed it, so
they claimed.

It's just everyday life on the Internet. It's good that you at least watch
the in/out traffic on your LAN. Wallwatcher could miss malware connections
too while the computer is booting before WW can start reporting router
traffic. I like WW and I use it too.

Can't the personal firewall check all connections periodically, even
after boot and thereby catch any malware agent?


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Duane Arnold]

I have no ports forwarded. Road Runner blocks many ports so I can't
put a server on my machine anyway,

That's not the point. The point is that packest can reach a machine if the
packest have not been solicited by a machine behind a router.

It is my understanding that Linksys uses passive FTP.

What's passive FTP have to do with a Linksys router or any NAT router
ensuing that the proper protocol comes down a port, like only the HTTP
protocol can come down port 80 rejecting any other protocol coming down the
port or only the FTP can come down ports 20 and 21 rejecting any other
protocol coming down the port? That would come into play in using port
forwarding of 80, 20 and 21 to an IP/machine behind the router running
those services. Most NAT routers for home useage cannot ensure it.

Kerio does load well before anything else. I believe it gets around
the problem you described but I cannot offer any support for that
claim. This used to be a big issue with ZA until they fixed it, so
they claimed.

I doubt that Kerios is getting to that TCP/IP connection at boot, unless you
somehow were able to hack the service Dependencies and somehow told TCP/IP
that it couldn't start without Kerio being started first. The only PFW
solution that can get there first and protect the TCP/IP at boot is XP's
FW, since it is an intergrated O/S component.

Can't the personal firewall check all connections periodically, even
after boot and thereby catch any malware agent?

Before the boot, the damage may have been done as packages may have already
left the machine. Sometimes malware is looking for a host to run with like
svchost.exe and use it. So you stop svchost.exe from making a connection
only to turn around and allow svchost.exe to connect for another legit
reason. What happened to the reason it was being stopped as it didn't go
anywhere? It's seems that App Control is somewhat affective as long as one
doesn't boot the machine.

Duane

 

[James Egan]

It is my understanding that Linksys uses passive FTP.

You probably mean you have to use passive FTP to traverse your own nat
router. That is nothing to do with the router itself which isn't
concerned with such protocols.

What he means is IF you are forwarding (say) port 80, which you
aren't, then a stateful inspection of the packets is more secure than
just forwarding everything with destination port 80 in the header,
which it is.

It might be perfectly in order for his network to employ such a
capable device, but he keeps recommending it to home users running no
servers.


Jim.

 

[null]

Unless you explicitly forward the ports, though, any incoming setup
packets will just be dropped and are therefore not the risk you
suggested.

Here's link to something on the alleged security issue:

http://itvibe.com/news/2592/

It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.

Art

http://home.epix.net/~artnpeg

 

[Roger Wilco]

There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.

If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.

There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.

I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.

I agree too - but having these things should not be a substitute for
learning how to properly configure (harden) your machine.

 

[Duane Arnold]

You probably mean you have to use passive FTP to traverse your own nat
router. That is nothing to do with the router itself which isn't
concerned with such protocols.

What he means is IF you are forwarding (say) port 80, which you
aren't, then a stateful inspection of the packets is more secure than
just forwarding everything with destination port 80 in the header,
which it is.

It might be perfectly in order for his network to employ such a
capable device, but he keeps recommending it to home users running no
servers.

I am only explaining the short comings of a NAT (no FW) router. I don't
recall recomending any anything to anyone. And I am God damn tired of you
interpresting what the HELL I am saying.

Duane

 

[Duane Arnold]

Egan you are an absolute ****ing ass-wipe.

Duane

 

[null]

Here's link to something on the alleged security issue:

http://itvibe.com/news/2592/

It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.

I just did some Googling on the name "Alan Rateliff II" and found a
wealth of stuff on this issue with the WRT54GS wireless router. Here's
just one of many urls:

http://www.linksys.com/download/firmware.asp?fwid=201

which is a d/l for firmware version 3.03.6 which, according to
Rateliff, Cisco now (finally) claims fixes the problem.

Rateliff elsewhere points out a workaround. He says you can port
forward 80 and 443 to non-existant hosts in order to protect your
configuration from hackers.

Art

http://home.epix.net/~artnpeg

 

[Bob]

Bob wrote:
[snip]

The number one defense is NAT. There is no reason to turn it off.

apparently someone doesn't understand the words coming out of my mouth
(errr keyboard, whatever)...

when you're debugging a connectivity problem there *IS* a reason to turn
it off - it might be the cause of the connectivity problem...

Oh, cut it out. I obviously meant there is no reason to turn it off
under normal operating conditions. Most people do not know how to
"debug a connectivity problem".


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

That's not the point. The point is that packest can reach a machine if the
packest have not been solicited by a machine behind a router.

Not unless you poke a hole. I have no holes.

What's passive FTP have to do with a Linksys router or any NAT router
ensuing that the proper protocol comes down a port,

You will have to look that up for yourself because you will not accept
anything I tell you. Check out the router forums.

like only the HTTP

I doubt that Kerios is getting to that TCP/IP connection at boot, unless you
somehow were able to hack the service Dependencies and somehow told TCP/IP
that it couldn't start without Kerio being started first.

How do you know that Kerio has not done that? When Windows comes up it
is the first item before any of the installed services. If the tray
networking icon is any indication of when TCP/IP is started, it is a
while *after* Kerio has been started.

The only PFW
solution that can get there first and protect the TCP/IP at boot is XP's
FW, since it is an intergrated O/S component.

Then why does the Kerio splash screen show up well before the
networking tray icon.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

I am only explaining the short comings of a NAT (no FW) router. I don't
recall recomending any anything to anyone. And I am God damn tired of you
interpresting what the HELL I am saying.

That's the only way anyone can figure out what you are trying to say.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

Egan you are an absolute ****ing ass-wipe.

You have just made yourself irrelevant with that violent attack.

You need to learn some mature mechanisms to cope with your
uncontrolled aggression.

From this time on, no reasonable person is going to pay any attention
to you.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.

There was a period back several years ago when the Linksys BEFSR41was
trying to get SPI working that they introduced some vulnerabilities
into the firmware. It took a long while to get it all sorted out. I
know because I was an official Linksys beta tester and I corresponded
with the development engineers at the time.

The last firmware revision I installed is an old one that we were told
was stable. It is 1.42.6. I have had no reason to change. I believe
you still have to disable SPI if you want to forward any ports.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

I agree too - but having these things should not be a substitute for
learning how to properly configure (harden) your machine.

I have a problem with tinkering with Windows - there are apps which
use certain ports and if you block them the apps won't work. I prefer
to create an alert in Kerio and discover first hand who's using what
port.

--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Duane Arnold]

You have just made yourself irrelevant with that violent attack.

You need to learn some mature mechanisms to cope with your
uncontrolled aggression.

From this time on, no reasonable person is going to pay any attention
to you.

Look, Egan and I have been at for quite awhile and I really don't care what
you think about it.

And let me be blunt about it, take the router and stick up ass. ;-)

Duane