firewall test and NAT

[ToddAndMargo]

Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

Many thanks,
-T

 

[John John - MVP]

Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

NAT would be pretty useless if anything could just "shoot" through it.
Open (forward) a port in the box or temporarily disable/bypass the NAT
box for your tests.

John

 

[ToddAndMargo]

NAT would be pretty useless if anything could just "shoot" through it.
Open (forward) a port in the box or temporarily disable/bypass the NAT
box for your tests.

John

Hi John,

The bad guys know all about NAT. And it is indeed useless
as a firewall.

The bad guys start with 192.168.0.0/24 and work their way
up. Check your firewall logs, you will see SYN packet probes
on it all the time: about 1/100 if you did not use NAT, but
still enough to do damage. NAT is *not* a firewall -- it is
a common misconception.

I was hoping to way to test it without redoing anything
on my network.

-T

 

[John John - MVP]

Hi John,

The bad guys know all about NAT. And it is indeed useless
as a firewall.

The bad guys start with 192.168.0.0/24 and work their way
up. Check your firewall logs, you will see SYN packet probes
on it all the time: about 1/100 if you did not use NAT, but
still enough to do damage. NAT is *not* a firewall -- it is
a common misconception.

I was hoping to way to test it without redoing anything
on my network.

I'm by no means any kind of expert on this but my understanding about
NAT is that it will only allow traffic in if the request for the packets
originated from within. You say that you have a "NAT box" I assume that
to be a router of sorts, check the documentation for your router.

John

 

[ToddAndMargo]

I'm by no means any kind of expert on this but my understanding about
NAT is that it will only allow traffic in if the request for the packets
originated from within. You say that you have a "NAT box" I assume that
to be a router of sorts, check the documentation for your router.

John

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.

-T

 

[John John - MVP]

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

I don't think that is how it works. My router stops SYN floods and
operates in stealth mode, you could be "knocking" all you want but you
ain't gonna come in!

John

 

[ToddAndMargo]

I don't think that is how it works. My router stops SYN floods and
operates in stealth mode, you could be "knocking" all you want but you
ain't gonna come in!

John

Hi John,

The is a good feature to have. But, is not NAT. It is an
additional feature. I was specifically referring only to NAT.

What scares me is people with $15.00 routers with NAT thinking
it is a real firewall.

-T

 

[John John - MVP]

Hi John,

The is a good feature to have. But, is not NAT. It is an
additional feature. I was specifically referring only to NAT.

What scares me is people with $15.00 routers with NAT thinking
it is a real firewall.

I think that your assessment of how easily NAT can be broken is
overblown, consider this, if your firewall tests can't make it through
your NAT box it isn't as flimsy as you make it out to be! If anyone is
that worried they can put their private IP address in the Class A range
and give the hackers a "few" more doors to knock on. But I do have to
agree with you that you get what you pay for and that a $15 router may
not be the best thing to have between your network and the internet!

John

 

[ToddAndMargo]

I think that your assessment of how easily NAT can be broken is
overblown, consider this, if your firewall tests can't make it through
your NAT box it isn't as flimsy as you make it out to be!

You are missing the point. The firewall test sites that don't shoot
through NAT do not tag the secondary off internet address on to
their attack packets. In those tests, everything comes back perfect
because they are being rejected by the router.

Now if the test site took your secondary off Internet address from
your initial SYN packet to log into their site and probed you, the
router would pass their probes right through.

If anyone is
that worried they can put their private IP address in the Class A range
and give the hackers a "few" more doors to knock on. But I do have to
agree with you that you get what you pay for and that a $15 router may
not be the best thing to have between your network and the internet!

John

Best Buy is ready and waiting for the $15.00 crowd: their Geek Squid
will happily wipe your hard drive clean and reinstall windows for you!

 

[ToddAndMargo]

You are missing the point. The firewall test sites that don't shoot
through NAT do not tag the secondary off internet address on to
their attack packets. In those tests, everything comes back perfect
because they are being rejected by the router.

Now if the test site took your secondary off Internet address from
your initial SYN packet to log into their site and probed you, the
router would pass their probes right through.



Best Buy is ready and waiting for the $15.00 crowd: their Geek Squid
will happily wipe your hard drive clean and reinstall windows for you!

Squid was a typo.

He who pays the least, pays the most

 

[Leythos]

Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

LOL, NAT doesn't have things "Shoot Through" it, that would break NAT.

If you want to test, most of those cheap, crappy, NAT routers have a
fake DMZ IP address, just map the DMZ to the same IP as your computer.
The DMZ IP gets all traffic that you have not created rules for, in most
NAT routers.

 

[Leythos]

Forget my last post I was wrong, you need to format your hd and reinstall
windows.

 

[Leythos]

Forget my last post I was wrong, you need to format your hd and reinstall
windows.

The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.

 

[Leythos]

Forget my last post I was wrong, you need to format your hd and reinstall
windows.

The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)


"

 

[Leythos]

Forget my last post I was wrong, you need to format your hd and reinstall
windows.

The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.

 

[Leythos]

Path: news.astraweb.com!border1.newsrouter.astraweb.com!npeer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
From: "Leythos" <[email protected]>
Newsgroups: microsoft.public.windowsxp.general
References: <#2gS5#[email protected]> <[email protected]> <[email protected]>
In-Reply-To: <[email protected]>
Subject: Re: firewall test and NAT- Another Impersonation by Butts
Lines: 20
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 07 May 2009 23:24:47 UTC
Organization: TeraNews.com
Date: Thu, 7 May 2009 16:24:41 -0700




The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.

And the headers prove another impersonation by the resident unethical
hack.

 

[Leythos]

Path: news.astraweb.com!border2.newsrouter.astraweb.com!indigo.octanews.net!news-out.octanews.net!teal.octanews.net!nx01.iad01.newshosting.com!newshosting.com!69.16.185.16.MISMATCH!npeer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!post02.iad.highwinds-media.com!newsfe21.iad.POSTED!4b08191c!not-for-mail
From: "Leythos" <[email protected]>
Newsgroups: microsoft.public.windowsxp.general
References: <#2gS5#[email protected]> <[email protected]> <[email protected]>
In-Reply-To: <[email protected]>
Subject: Re: firewall test and NAT- Another Impersonation by Butts
Lines: 17
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Antivirus: avast! (VPS 090507-0, 05/07/2009), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 07 May 2009 23:26:11 UTC
Organization: TeraNews.com
Date: Thu, 7 May 2009 16:26:09 -0700



The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.

And the headers prove another impersonation by the resident unethical
hack.

 

[Brian A.]

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

If that were to be true, every network in the universe would be no more,
Port probes are being performed 24/7 and have been for years.

The Client sends a SYN to the Server requesting a connection.
The Server sends back a SYN-ACK to the Client acknowledging the request.
The Client responds with an ACK and the connection is completed.

Port probes are looking for any open Port, and if they don't find one, they
move on to the next possible victim without ever responding with an ACK to
the Server. Without an ACK response from the Client, the Server will wait X
amount of time before sending another SYN-ACK, then again, and again, etc.
until it reaches it's max set of times to send. It's when a Sever is
overwhelmed with these Half-Open connections that it becomes a real issue.


--

Brian A. Sesko
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

 

[Bruce Chambers]

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

Assuming one is silly enough to leave that NAT router set to factory
defaults.....


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

 

[ToddAndMargo]

If that were to be true, every network in the universe would be no
more, Port probes are being performed 24/7 and have been for years.

The Client sends a SYN to the Server requesting a connection.
The Server sends back a SYN-ACK to the Client acknowledging the request.
The Client responds with an ACK and the connection is completed.

Port probes are looking for any open Port, and if they don't find one,
they move on to the next possible victim without ever responding with an
ACK to the Server. Without an ACK response from the Client, the Server
will wait X amount of time before sending another SYN-ACK, then again,
and again, etc. until it reaches it's max set of times to send. It's
when a Sever is overwhelmed with these Half-Open connections that it
becomes a real issue.

Hi Brian,

You are correct. You are missing that the probe can include an
internal address as well as the required external address.

An unsuccessful sample attack on my machine for you:

kernel: Incomming SYN IN=eth1 OUT= MAC= SRC=192.168.1.1 DST=192.168.1.46
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=228 DF PROTO=TCP SPT=1030 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0

Translation:
SRC is my NAT router (192.168.1.1) on my 1st Ethernet port

RST is a virtual machine (192.168.1.46) on my second Ethernet
port that has not run for over three weeks (currently off)

SYN is a SYN packet

The probe got right through my NAT router (and got stopped by my
software firewall). NAT is a good idea in a lot of ways.
And it does stop tons of state=new packets. But, as I have
shown, you can poke through it. It takes a lot more skill,
so it does cut way down on the bad guys attempt to probe
you. But it does not stop all unsolicited state=new probes.
This is why I am tell everyone that doubts me that
*NAT is not a firewall*.

-T