Archived from groups: comp.security.firewalls (More info?)

I was wondering if somebody could clarify the difference between a cheap
retail firewall, like a D-Link you might get at Staples, with professional
grade firewalls from Symantec or Watchguard. If there is no serving going
on behind the firewall, (ie, no virtual server passthrough), is there
really a difference in security? Doesn't this eliminate the need for
SPI? Are $600 firewalls harder to defeat than $40 firewalls? Is it just
the bells and whistles of logging and alerts?

Thanks,
tslugmo

--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

Archived from groups: comp.security.firewalls (More info?)

In article <opsb6dyxrnk1tkce@tslugmo.belkin>, anon@yeahright.com says...
> I was wondering if somebody could clarify the difference between a cheap
> retail firewall, like a D-Link you might get at Staples, with professional
> grade firewalls from Symantec or Watchguard.

You need to separate the idea that a router with NAT is a firewall from
what a real firewall is/does. Routers with NAT provide a blocking
service based on the NAT function, nothing else.

Firewalls may or may not use NAT and provide filtering of traffic based
on traffic type (not always a port number) and do it in both directions.

There is a huge difference between a router with NAT and a firewall of
any type.

> If there is no serving going
> on behind the firewall, (ie, no virtual server passthrough), is there
> really a difference in security? Doesn't this eliminate the need for
> SPI? Are $600 firewalls harder to defeat than $40 firewalls? Is it just
> the bells and whistles of logging and alerts?

Yes, in one case, there was as sorority that had a NAT system installed,
there were 6 machines that were infected with a virus that had it's own
SMTP server. The infected machines were sending out infected emails
directly form their systems, bypassing the internal SMTP server. Had a
real-firewall been installed (or properly configured high-end router)
SMTP would not have been permitted from the local devices (except the
SMTP server) to the internet, or it would have only been permitted from
the workstations to the ISP's SMTP server for outbound messages. A
generic router would not have prevented this problem from reaching the
world.

$600 firewalls, or any firewall that is a real firewall, is harder to
defeat when properly configured than ANY router with NAT and SPI or any
router with just NAT.

If you've been reading these groups for a couple weeks you would already
know this :-)

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

If I don't want anything to initiate access to my network from outside,
besides normal responses to HTTP and SMTP requests, do I need to go beyond
NAT? If there's no server or remote access going on?

Thanks,
tslug

On Tue, 03 Aug 2004 21:59:36 GMT, Leythos <void@nowhere.com> wrote:

> In article <opsb6dyxrnk1tkce@tslugmo.belkin>, anon@yeahright.com says...
>> I was wondering if somebody could clarify the difference between a cheap
>> retail firewall, like a D-Link you might get at Staples, with
>> professional
>> grade firewalls from Symantec or Watchguard.
>
> You need to separate the idea that a router with NAT is a firewall from
> what a real firewall is/does. Routers with NAT provide a blocking
> service based on the NAT function, nothing else.
>
> Firewalls may or may not use NAT and provide filtering of traffic based
> on traffic type (not always a port number) and do it in both directions.
>
> There is a huge difference between a router with NAT and a firewall of
> any type.
>
>> If there is no serving going
>> on behind the firewall, (ie, no virtual server passthrough), is there
>> really a difference in security? Doesn't this eliminate the need for
>> SPI? Are $600 firewalls harder to defeat than $40 firewalls? Is it
>> just
>> the bells and whistles of logging and alerts?
>
> Yes, in one case, there was as sorority that had a NAT system installed,
> there were 6 machines that were infected with a virus that had it's own
> SMTP server. The infected machines were sending out infected emails
> directly form their systems, bypassing the internal SMTP server. Had a
> real-firewall been installed (or properly configured high-end router)
> SMTP would not have been permitted from the local devices (except the
> SMTP server) to the internet, or it would have only been permitted from
> the workstations to the ISP's SMTP server for outbound messages. A
> generic router would not have prevented this problem from reaching the
> world.
>
> $600 firewalls, or any firewall that is a real firewall, is harder to
> defeat when properly configured than ANY router with NAT and SPI or any
> router with just NAT.
>
> If you've been reading these groups for a couple weeks you would already
> know this :-)
>



--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

Archived from groups: comp.security.firewalls (More info?)

In article <opsb7we9qck1tkce@tslugmo.belkin>, anon@yeahright.com says...
> If I don't want anything to initiate access to my network from outside,
> besides normal responses to HTTP and SMTP requests, do I need to go beyond
> NAT? If there's no server or remote access going on?

In "general" if you have a NAT device that also supports SPI, and you
have no ports forwarded inbound, and the device is not a wireless
device, then you are about as safe from unsolicited inbound as you can
get without buying a real firewall.

This method does nothing to control rouge web sites, infected email, or
already compromised machines in your network.

The NAT with SPI will ensure that only things your computer contacts
will be able to communicate with it.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

What about NAT w/o SPI? If that's not safe, can you explain why not?

Thanks for your patience,
tslug

On Wed, 04 Aug 2004 17:42:58 GMT, Leythos <void@nowhere.com> wrote:

> In article <opsb7we9qck1tkce@tslugmo.belkin>, anon@yeahright.com says...
>> If I don't want anything to initiate access to my network from outside,
>> besides normal responses to HTTP and SMTP requests, do I need to go
>> beyond
>> NAT? If there's no server or remote access going on?
>
> In "general" if you have a NAT device that also supports SPI, and you
> have no ports forwarded inbound, and the device is not a wireless
> device, then you are about as safe from unsolicited inbound as you can
> get without buying a real firewall.
>
> This method does nothing to control rouge web sites, infected email, or
> already compromised machines in your network.
>
> The NAT with SPI will ensure that only things your computer contacts
> will be able to communicate with it.
>
>



--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/

Archived from groups: comp.security.firewalls (More info?)

In article <opsb8g27pwk1tkce@tslugmo.belkin>, anon@yeahright.com says...
> What about NAT w/o SPI? If that's not safe, can you explain why not?

From what I understand, there are issues without SPI that allow an
attacker to ride the inbound port that is being used by the local and
remote client to communicate - this means that an anonymous system, if
it could determine what ports your computer was using to talk with
another computer, could ride in on that same port.

I could be wrong, it's not a area that I have studied. I have also never
seen a NAT system compromised by not having NAT w/SPI.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> In article <opsb8g27pwk1tkce@tslugmo.belkin>, anon@yeahright.com says...
>> What about NAT w/o SPI? If that's not safe, can you explain why not?
>
> From what I understand, there are issues without SPI that allow an
> attacker to ride the inbound port that is being used by the local and
> remote client to communicate - this means that an anonymous system, if
> it could determine what ports your computer was using to talk with
> another computer, could ride in on that same port.
>
> I could be wrong, it's not a area that I have studied. I have also never
> seen a NAT system compromised by not having NAT w/SPI.

You confuse SPI with TCP sequence numbers. No half-decent implementation is
vulnerable to that.
--
Mailman


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Archived from groups: comp.security.firewalls (More info?)

In article <41118ee0_5@corp.newsgroups.com>, mailman@anonymous.org
says...
> Leythos wrote:
>
> > In article <opsb8g27pwk1tkce@tslugmo.belkin>, anon@yeahright.com says...
> >> What about NAT w/o SPI? If that's not safe, can you explain why not?
> >
> > From what I understand, there are issues without SPI that allow an
> > attacker to ride the inbound port that is being used by the local and
> > remote client to communicate - this means that an anonymous system, if
> > it could determine what ports your computer was using to talk with
> > another computer, could ride in on that same port.
> >
> > I could be wrong, it's not a area that I have studied. I have also never
> > seen a NAT system compromised by not having NAT w/SPI.
>
> You confuse SPI with TCP sequence numbers. No half-decent implementation is
> vulnerable to that.

Thanks for the correction, I knew there as something out there like
that, but I didn't remember what it was.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)