Linksys WRT54GS - Netmeeting and port forwarding question

i have a Linksys WRT54GS. i'd like to set up port forwarding to be
able to use Netmeeting.

i went to the ms website and it lists a whole bunch of ports to be
opened when using a firewall and it is very confusing.
can somebody tell me if there is an easy way to accomplish this?

thank you very much,
NH

NH wrote:

> i have a Linksys WRT54GS. i'd like to set up port forwarding to be
> able to use Netmeeting.
>
> i went to the ms website and it lists a whole bunch of ports to be
> opened when using a firewall and it is very confusing.
> can somebody tell me if there is an easy way to accomplish this?


http://homenethelp.com/help/netmeeting-router.asp

Netmeeting's Remote Desktop Sharing will work through a Linksys router using
port forwarding. If you are wanting to do all that video stuff with
Netmeeting, then the router has to be H.323 compliant. There are H.323
compliant routers.

Otherthan that, if the router is not h.323 compliant put the machine into
the DMZ of the router and have a personal firewall solution that can deal
with H.323 to protect it.

Duane

On Sat, 25 Jun 2005 17:34:54 -0500, NH <(E-Mail Removed)> wrote:

>i have a Linksys WRT54GS. i'd like to set up port forwarding to be
>able to use Netmeeting.

There's a problem with Netmeeting. It's H.323 which uses random port
numbers and requires that the router sniff the packet contents for the
port numbers. The usual advice is to open a wide range of ports as
in:
| http://www.portforward.com/english/r...rough_3.01.htm
That's the ultimate security nightmare. Any security scanner will
complain that such a system with almost all the ports open is totally
insecure.

Be sure to setup your desktop with a static IP address.

Another recommendations is to use the DMZ feature, which redirects
literally everything to your computer. Also, a bad idea:
| http://home.sc.rr.com/schvarak/XP%20Static.html

>i went to the ms website and it lists a whole bunch of ports to be
>opened when using a firewall and it is very confusing.
>can somebody tell me if there is an easy way to accomplish this?
>
>thank you very much,
>NH

Frankly, I don't know of a secure way to do Netmeeting with the
WRT54G. There are routers that sniff the packets looking for specific
types and open ports on the fly as needed. However, the WRT54G
apparently doesn't do that.

This mess is one of the reasons MS is going to other conferencing
programs. The lastest Windoze Messenger will do everything that
Netmeeting does.
http://messenger.msn.com/
There are other conferencing programs. I suggest you switch instead
of fight.



--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

>
> Another recommendations is to use the DMZ feature, which redirects
> literally everything to your computer. Also, a bad idea:
> | http://home.sc.rr.com/schvarak/XP%20Static.html

It would be no worse than taking a machine and doing a direct connect to the
Internet with a personal FW solution providing the protection, while using
Netmeeting. If the machine had a PFW on it when it was put into the DMZ for
a short period of time and then taken out of the DMZ where is the harm?

Duane

On Sun, 26 Jun 2005 02:37:01 GMT, Duane Arnold <(E-Mail Removed)>
wrote:

>> Another recommendations is to use the DMZ feature, which redirects
>> literally everything to your computer. Also, a bad idea:
>> | http://home.sc.rr.com/schvarak/XP%20Static.html

>It would be no worse than taking a machine and doing a direct connect to the
>Internet with a personal FW solution providing the protection, while using
>Netmeeting. If the machine had a PFW on it when it was put into the DMZ for
>a short period of time and then taken out of the DMZ where is the harm?
>Duane

You're correct that if you trust the personal firewall, such an
arrangement will work just fine. Perhaps I'm a bit paranoid about
doing this as I was finding far too many machines infested with
spyware, running trojans, lacking in Windoze updates, and
misconfigured or missing firewalls. I see huge numbers of shares open
to the internet. Perhaps it's because I only see broken machines.
I'm sure there are users with properly configured machines and
firewalls, but I just don't see those. If you're sure your computah
is safe and secure, then by all means, do the DMZ or massive port
redirection solution.

You might find the following 5 page article illuminating:
http://www.pcflank.com/art56_1.htm
or these admittedly theoretical problems:
http://www.tooleaky.zensoft.com
http://keir.net/firehole.html

I guess the easiest way to be sure is to run one of the online
security tests:
http://www.dslreports.com/scan
http://www.pcflank.com/about.htm (various tests)

Perhaps I'm overly paranoid but I would prefer not to almost totally
disable my routers firewall for the benifit of one program that is
easily replaced by something less demanding.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Sun, 26 Jun 2005 02:37:01 GMT, Duane Arnold <(E-Mail Removed)>
> wrote:
>
>>> Another recommendations is to use the DMZ feature, which redirects
>>> literally everything to your computer. Also, a bad idea:
>>> | http://home.sc.rr.com/schvarak/XP%20Static.html
>
>>It would be no worse than taking a machine and doing a direct connect
>>to the Internet with a personal FW solution providing the protection,
>>while using Netmeeting. If the machine had a PFW on it when it was put
>>into the DMZ for a short period of time and then taken out of the DMZ
>>where is the harm? Duane
>
> You're correct that if you trust the personal firewall, such an
> arrangement will work just fine. Perhaps I'm a bit paranoid about
> doing this as I was finding far too many machines infested with
> spyware, running trojans, lacking in Windoze updates, and
> misconfigured or missing firewalls. I see huge numbers of shares open
> to the internet. Perhaps it's because I only see broken machines.
> I'm sure there are users with properly configured machines and
> firewalls, but I just don't see those. If you're sure your computah
> is safe and secure, then by all means, do the DMZ or massive port
> redirection solution.

Well, end-users need to learn how to secure the situation.

1) By knowing how to use the PFW solution properly as machine level
protection (can't call it a FW as it's not). And not depending on things
such as App Control or the rest of the stuff within them that is snake-
oil.

2) If one has an Windows O/S where it has security and it has been harden
to attack or secured by disabling *shares*, securing user accounts, using
the proper file system such as NTFS and implementing security with the
file system, disabling vulnerable services like not using the F&P sharing
service if it's not needed. That's the key is to secure the O/S when
exposing a Windows based O/S to the Internet or doing a machine direct
connect with a PFW solution or sticking one into the DMZ of a router.

http://labmice.techtarget.com/articl...ychecklist.htm

The buck stops with the O/S and it doesn't stop anywhere else, if you
have an O/S where security can be implemented.

There are other links besides the one above that will clue in the
clueless.


>
> You might find the following 5 page article illuminating:
> http://www.pcflank.com/art56_1.htm
> or these admittedly theoretical problems:
> http://www.tooleaky.zensoft.com
> http://keir.net/firehole.html
>

If the machine has been compromised and the malware executed, it has been
compromised and no snake oil solution that has been spawned by Gibson is
going to stop it. If the machine has been compromised, a PFW, host based
network FW, router or FW appliance solution is not going to stop malware
and its outbound traffic initially.

The key is to not allow the malware to reach the machine and practice
safe hex. The other key is to recognize dubious activities once the
machine has been compromised by using the proper tools and one looks
around for themselves from time to time and not depend solely on
solutions that can be circumvented and defeated.

I do use the tools in the link form time to time like Active Ports and
Process Explorer and look for myself and what is happening on the
machine.

http://tinyurl.com/klw1

> I guess the easiest way to be sure is to run one of the online
> security tests:
> http://www.dslreports.com/scan
> http://www.pcflank.com/about.htm (various tests)

Yeah, one can run the tests there is no harm in doing that.

>
> Perhaps I'm overly paranoid but I would prefer not to almost totally
> disable my routers firewall for the benifit of one program that is
> easily replaced by something less demanding.

No NAT router for home usage is running *true* FW software. It may be
using NAT and some other FW like features like SPI but its not running FW
software in the traditional sense.

Of course you have some high-end NAT routers that come close to being a
FW appliance but they are not running true FW software. And you can use a
NAT router as a border device considered to be a total FW solution
designed to protect a network.

A NAT router for home usage is good enough in the home protection by not
forwarding unsolicited requests to the network, until one starts doing
high risk things like *port forwarding*.

If the NAT router cannot meet the specs in the link for *What does a FW
do?*, then it's not an appliance that's running *true* FW software.
However, some high-end NAT routers come very close to being a FW
appliance.

http://www.vicomsoft.com/knowledge/r...irewalls1.html

Here is the NAT router for home usage with FW *like* features.

http://www.homenethelp.com/web/explain/about-NAT.asp

Here is some more good info about FW(s).

http://www.more.net/technical/netserv/tcpip/firewalls/

If I were going to do a machine direct connect to the Internet, the O/S
would be harden to attack. You can even knock out the share exploit too
on an Win 9'x and ME O/S by disabling F&P service if it's not needed. The
same would apply for me if I were to put a machine into the DMZ that I
apply the security features that were on the O/S and implement a PFW
solution and know how to user it properly.

But for the most part, I just keep the machines behind the protection of
the FW appliance and have done a couple of things for the time being to
harden the NT based O/S to attack.

Duane

> Of course you have some high-end NAT routers that come close to being a
> FW appliance but they are not running true FW software. And you can use a
> NAT router as a border device considered to be a total FW solution
> designed to protect a network.
>

I want to correct this.

And you can use a NAT router as a border device considered to be part of a
total FW solution designed to protect a network.

Duane

On Sun, 26 Jun 2005 09:45:41 GMT, Duane Arnold <(E-Mail Removed)>
wrote:

>Well, end-users need to learn how to secure the situation.

I beg to differ somewhat. It is my contention that manufacturers of
wireless contraptions have done a positively dismal job of delivering
out of the box secure wireless. Demanding that the user compensate
for their laziness and ineptitude is not a suitable answer. Look at
the boxes made by 2wire.com for a clue. WEP enabled by default.
Cryptic WEP key pre-installed. Unique SSID. How hard is that?

I don't seriously expect the GUM (Great Unwashed Masses) to ever
understant even the basics of encryption and security. Even the ones
that do run into absurdities such as creative ASCII to Hex
conversions, cryptic settings, creative protocols, and stupid security
ideas such as broadcasting NULL's for the SSID.

The user should be presented with a selection template on
installation. There should be a choice of common applications with
presets for each such as Corporate Network, Hot Spot, Open Access, VPN
Gateway, and of course, custom settings. Expecting the user to know
about access point isolation, VPN passthrough, and ACL's, is a bit
like requireing the automobile buyer to learn auto mechanics before
being allowed to drive. Such templates are common in Cisco IOS based
routers, where the complexity of the initial setup is often well
beyond the abilities of even experienced users.

>1) By knowing how to use the PFW solution properly as machine level
>protection (can't call it a FW as it's not). And not depending on things
>such as App Control or the rest of the stuff within them that is snake-
>oil.

I'm not a big fan of Steve Gibson and calling anyone that has never
attended a security conference or appears on a security mailing list,
as security expert is ludicrous. However, he does have a point with
his snake oil security tests. I read his stuff, extract what I can,
and ignore his alarmist conclusions and warnings. There's value in
there somewhere. The same applies to others that have found
individual flaws, potential security holes, and exploits. I once
found a real security hole in a commerical Unix OS, but was ignored by
the manufactory. Only when someone else wrote and exploit tool was
the problem addressed and fixed. Careful what you call snake oil.

I have a problem with personal firewall software (Zone Alarm, Windoze
XP SP2 firewall, etc). They are "user decision based" firewalls. In
other words, they only work if the user makes the correct decision
when the popup appears demanding a decision. My experience with
inspecting ZoneAlarm, Norton, McAfee and WFW configurations is that
users constantly make the wrong decisions. I've found numerous
machines with active trojan horse's running, where the user simply
clicked "accept" because he got tired of having the popup warning
appear. This is ludicrous, stupid, worthless, and dangerous. As I
previously ranted, a personal firewall is a great tool in the hands of
an experienced and conciencious user. However, with the commonly
inexperienced member of the GUM, it's of limited value.

>2) If one has an Windows O/S where it has security and it has been harden
>to attack or secured by disabling *shares*,

Trick question: How does a member of the GUM disable shares or even
see them? Perhaps they are swift enough to know about the:
NET VIEW \\your_IP (or NETBIOS machine name)
trick that will show the visible shares. But what about the hidden C$
administrative share and XP's default shared folder? I have a hell of
time just finding which directory is being shared. I constantly see
machines that use Briefcase to replicate files have the entire C:
drive shared just to get the stupid Briefcase to work. I also find XP
boxes with proper user login passwords assigned, but a blank password
for administrator. I would normally just disable all sharing, but
crippled XP Home doesn't allow disabling simple file sharing. I have
to kill the shares one by one. Of course every user login is an
administrator by default, which is convenient, but insuring that a
mistake is universally destructive. I won't even go into what can be
done to XP with physical access.

This is hardened security?

>http://labmice.techtarget.com/articl...ychecklist.htm

This is an excellent list. I can tell whomever wrote it has had some
experience. Securing the backup tapes and cdroms is not often
included in such a list. Were I interested in attacking a specific
machine, it's much easier to steal the backups than to attack the
machine directly. Now, getting the backup vendors to use real
encryption is another story. I have friends in the business and they
claim it's not a useful requirement and will ruin their data integrity
checking.

>The buck stops with the O/S and it doesn't stop anywhere else, if you
>have an O/S where security can be implemented.

Does informing you of defects make an automobile safe? There's some
arguementation over the principle, but the consensus seems to be that
manufacturers are responsible for delivering safe products. Methinks
that extends to data security and safety, but your EULA may say
otherwise.

>There are other links besides the one above that will clue in the
>clueless.

The clueless don't read such links or they wouldn't be clueless. Even
if they do read the recommendations, many of the tweaks are undone
almost immediately after a hardware reset, operating system upgrade,
or manufacturers "system restore" cerimony. Is eternal vigilance also
the cost of security?

>If the machine has been compromised and the malware executed, it has been
>compromised and no snake oil solution that has been spawned by Gibson is
>going to stop it. If the machine has been compromised, a PFW, host based
>network FW, router or FW appliance solution is not going to stop malware
>and its outbound traffic initially.

Make up your mind. Is the personal firewall like a lock and key
barrier to access, or is it a burglar alarm that informs the user that
they've been screwed? With user decision based PFW solutions,
methinks the burglar alarm is the proper analogy. It doesn't really
prevent access, but does inform the user that someone is trying to
drill through the door. I have yet to see a PFW that does both
adequately.

>The key is to not allow the malware to reach the machine and practice
>safe hex. The other key is to recognize dubious activities once the
>machine has been compromised by using the proper tools and one looks
>around for themselves from time to time and not depend solely on
>solutions that can be circumvented and defeated.

I get far too few calls from customers asking for clarification of
some of the pop-up messages deliverded by ZoneAlarm, MS Anti-Spyware
beta 1, and other impediments to computing. Even I have to decode the
cryptic mumbo-jumbo that some of these deliver in my face.
Self-respawning spyware will create the same warning over and over
until the user selects "accept" just to make the messages go away.
Recovering from the wrong decision is also a common exercise on behalf
of my customers.

>I do use the tools in the link form time to time like Active Ports and
>Process Explorer and look for myself and what is happening on the
>machine.
>http://tinyurl.com/klw1

Nice article. One problem. The user would be expected to know and
recognize the difference between normal and bogus processes and
drivers. I can barely keep up on the myriad of driver names and would
never expect a member of the GUM to be able to do the same.

>No NAT router for home usage is running *true* FW software. It may be
>using NAT and some other FW like features like SPI but its not running FW
>software in the traditional sense.

All stateful packet inspection does is offer the router a way to
determine which side of the firewall a packet is coming from in order
to prevent a WAN side attacker from spoofing an inside IP address.
This is an important feature and very useful, but does not mean that
firewalls that lack SPI are garbage. The same thing can be done with
packet filters.

The endless discussions on what features constitute a "true" firewall
has wasted considerable time in the various networking newsgroups and
mailing lists. There are some that suggest that anything that does
not pass the ICSA Labs certification tests are worthless. I don't
know (or care). I have very few problems dealing with attacks
originating from the internet with common cheap NAT routers. Well, I
do have some problems from the internet with users that do
considerable port forwarding that point to flawed or insecure inside
services. I just had the web server on my weather station
successfully compromised by an attack from the internet because I was
one version behind on updates and fixes. Anyway, I consider the
typical NAT firewall to be good enough, even without SPI, ACL's, and
certification. However, setting up a DMZ defeats all the protection
and relies totally on the user decision based personal firewall, which
I have almost no confidence in staying alive or secure.

>Of course you have some high-end NAT routers that come close to being a
>FW appliance but they are not running true FW software. And you can use a
>NAT router as a border device considered to be a total FW solution
>designed to protect a network.

I'll resist the temptation to ask what features are missing in a cheap
NAT router that are required for a "true" firewall. I can list a
considerable number of protocols and features that a typical Cisco
router supports, but how many of those features are useful for the
average home user, and how many of them are comprehensible by the user
or even the installer? Adding features do not necessarily equate to
better security.

I guess I cheat. Our neighborhood LAN uses a Cisco 2514 router (with
the fan ripped out so I don't have to listen to the noise). My local
ISP's free wireless setup uses a Cisco 2611 router. It turns out that
the most useful features of these "true" routers are SNMP management
for traffic monitoring, bandwidth management, and ACL's for security.

>A NAT router for home usage is good enough in the home protection by not
>forwarding unsolicited requests to the network, until one starts doing
>high risk things like *port forwarding*.

Well, isn't that what you suggested is acceptable for dealing with
brain dead protocols like H.323 and Netmeeting? In my never humble
opinion, the problem is not the inability of the router to deal with
badly writting protocols, but the protocol itself. Dump the
application and get something that works (i.e. SIP based messageing).

>If the NAT router cannot meet the specs in the link for *What does a FW
>do?*, then it's not an appliance that's running *true* FW software.
>However, some high-end NAT routers come very close to being a FW
>appliance.

I haven't seen too many that will do ACL's or accept X.509
certificates for authentication. Few will terminate an IPSec or PPTP
VPN. Monitoring is at best a limited joke. Per-user keys,
authorization, and authentication are rarely found in these low end
boxes. I don't think they come close to what's needed for my vision
of proper security.

>http://www.vicomsoft.com/knowledge/r...irewalls1.html

Nice article on firewall technology. I don't know any cheapo NAT
routers that also have an applications level gateway or per-session
authorization. In most cases, a SOCKS5 proxy server configure
individually for each allowed service type would be more secure than
any attempt to turn a cheap NAT router into a "real" firewall.

>Here is the NAT router for home usage with FW *like* features.
>http://www.homenethelp.com/web/explain/about-NAT.asp

Wrong link. It's an explanation of NAT.

>Here is some more good info about FW(s).
>http://www.more.net/technical/netserv/tcpip/firewalls/

Nice article. Doesn't really cover VPN issues but that's in another
article. Doesn't mention authorization or authentication, end to end
encryption, and wireless but those are possibly seperate topics.

>If I were going to do a machine direct connect to the Internet, the O/S
>would be harden to attack. You can even knock out the share exploit too
>on an Win 9'x and ME O/S by disabling F&P service if it's not needed. The
>same would apply for me if I were to put a machine into the DMZ that I
>apply the security features that were on the O/S and implement a PFW
>solution and know how to user it properly.

I can debate the point but I think I covered my main points previously
in this rant. The basic criteria for me is:
1. Can the manufacturer deliver a secure out of the box system?
2. Can the manufacturer deliver a means of insuring that it stays
secure? Is the security level verifiable?
3. Can the manfuacturer minimize the number and level of user
decisions necessary to maintain the system?
4. Can intrusions be effectively detected and blocked both in real
time and after the fact?

By the above criteria, most cheap routers are "good enough" but not
far from what I consider acceptable. I can find solutions that meet
all the above, but my customers frequently cannot bear the cost or
inconvenience. Perhaps instead of a "true" firewall, the correct term
would be a "useful" firewall.

>But for the most part, I just keep the machines behind the protection of
>the FW appliance and have done a couple of things for the time being to
>harden the NT based O/S to attack.

Summary: Agreed. It's better than nothing. However, it's like my
previous rant on multiple layers of encryption technology being used
to fix the defects of the underlying encryption layers. Adding
multiple firewalls in series to form an obstacle course will do wonder
for attacks originating from the internet, but won't do anything for
an attack from the LAN or downloaded via a rogue web pile or email.
Therefore, the value of a fancy firewall solution is limited by how
well the operating system and personal firewall can defend the system
against local LAN based attack. My contention is that due to the
inadequacies and limitations of user decision based firewall
solutions, the usefulness of a personal firewall is rather limited.

Bottom line: Dump Netmeeting and get something that doesn't demand
that the NAT firewall be essentially disabled.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Thanks guys for all the responses. i think i'm going to ditch
Netmeeting and use a different conferencing program.

NH

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Sun, 26 Jun 2005 09:45:41 GMT, Duane Arnold <(E-Mail Removed)>
> wrote:
>
>>Well, end-users need to learn how to secure the situation.
>
> I beg to differ somewhat. It is my contention that manufacturers of
> wireless contraptions have done a positively dismal job of delivering
> out of the box secure wireless. Demanding that the user compensate
> for their laziness and ineptitude is not a suitable answer. Look at
> the boxes made by 2wire.com for a clue. WEP enabled by default.
> Cryptic WEP key pre-installed. Unique SSID. How hard is that?

Although this is a wireless NG, my statements are not concerning wireless
security features.

>
> I don't seriously expect the GUM (Great Unwashed Masses) to ever
> understant even the basics of encryption and security. Even the ones
> that do run into absurdities such as creative ASCII to Hex
> conversions, cryptic settings, creative protocols, and stupid security
> ideas such as broadcasting NULL's for the SSID.

I cannot disagree but again I thought we were talking about FW(s).

>
> The user should be presented with a selection template on
> installation. There should be a choice of common applications with
> presets for each such as Corporate Network, Hot Spot, Open Access, VPN
> Gateway, and of course, custom settings. Expecting the user to know
> about access point isolation, VPN passthrough, and ACL's, is a bit
> like requireing the automobile buyer to learn auto mechanics before
> being allowed to drive. Such templates are common in Cisco IOS based
> routers, where the complexity of the initial setup is often well
> beyond the abilities of even experienced users.

I cannot disagree but .........

>
>>1) By knowing how to use the PFW solution properly as machine level
>>protection (can't call it a FW as it's not). And not depending on
>>things such as App Control or the rest of the stuff within them that
>>is snake- oil.
>
> I'm not a big fan of Steve Gibson and calling anyone that has never
> attended a security conference or appears on a security mailing list,
> as security expert is ludicrous. However, he does have a point with
> his snake oil security tests. I read his stuff, extract what I can,
> and ignore his alarmist conclusions and warnings. There's value in
> there somewhere. The same applies to others that have found
> individual flaws, potential security holes, and exploits. I once
> found a real security hole in a commerical Unix OS, but was ignored by
> the manufactory. Only when someone else wrote and exploit tool was
> the problem addressed and fixed. Careful what you call snake oil.

I would agree that such person(s) that do security checking of O/S(s) are
needed. However, other than an AV solutions most things like software to
remove *cookies* off of the machine, standalone App Control applications,
built-i App Control in PFW(s), third part software tools to protect a
machine running Web services and things of that nature, I consider snake
oil.


> I have a problem with personal firewall software (Zone Alarm, Windoze
> XP SP2 firewall, etc). They are "user decision based" firewalls. In
> other words, they only work if the user makes the correct decision
> when the popup appears demanding a decision. My experience with
> inspecting ZoneAlarm, Norton, McAfee and WFW configurations is that
> users constantly make the wrong decisions. I've found numerous
> machines with active trojan horse's running, where the user simply
> clicked "accept" because he got tired of having the popup warning
> appear. This is ludicrous, stupid, worthless, and dangerous. As I
> previously ranted, a personal firewall is a great tool in the hands of
> an experienced and conciencious user. However, with the commonly
> inexperienced member of the GUM, it's of limited value.

Then it's snake-oil to those users and why have the solution ask the
questions. They should be able to disable that and many other features in
PFW(s) or manufactures shouldn't incorporate such features in the
solutions. And these solutions are not in the hands of experienced and
aware users. They are in the hands of the (GUM). And all the snake-oil
crap in these PFW(s) are there to protect the (GUM) from himself or
herself.

Obviously, it's not working and some sit there behind a NAT router with
the solutions running on a machine and make the same mistakes.

>
>>2) If one has an Windows O/S where it has security and it has been
>>harden to attack or secured by disabling *shares*,
>
> Trick question: How does a member of the GUM disable shares or even
> see them? Perhaps they are swift enough to know about the:
> NET VIEW \\your_IP (or NETBIOS machine name)

> trick that will show the visible shares. But what about the hidden C$
> administrative share and XP's default shared folder? I have a hell of
> time just finding which directory is being shared. I constantly see
> machines that use Briefcase to replicate files have the entire C:
> drive shared just to get the stupid Briefcase to work. I also find XP
> boxes with proper user login passwords assigned, but a blank password
> for administrator. I would normally just disable all sharing, but
> crippled XP Home doesn't allow disabling simple file sharing. I have
> to kill the shares one by one. Of course every user login is an
> administrator by default, which is convenient, but insuring that a
> mistake is universally destructive. I won't even go into what can be
> done to XP with physical access.
>
> This is hardened security?

One puts the machine behind the protection of a $20 NAT router to protect
the services, shares and whatnot a border device sitting in front of the
machine.

>
>>http://labmice.techtarget.com/articl...ychecklist.htm
>
> This is an excellent list. I can tell whomever wrote it has had some
> experience. Securing the backup tapes and cdroms is not often
> included in such a list. Were I interested in attacking a specific
> machine, it's much easier to steal the backups than to attack the
> machine directly. Now, getting the backup vendors to use real
> encryption is another story. I have friends in the business and they
> claim it's not a useful requirement and will ruin their data integrity
> checking.
>
>>The buck stops with the O/S and it doesn't stop anywhere else, if you
>>have an O/S where security can be implemented.
>
> Does informing you of defects make an automobile safe? There's some
> arguementation over the principle, but the consensus seems to be that
> manufacturers are responsible for delivering safe products. Methinks
> that extends to data security and safety, but your EULA may say
> otherwise.

The same holds true for wireless as the manufacturers pop out these
devices a dime a dozen but many don't provide any documentation on
wireless security that the home user should implement out of the box.

>
>>There are other links besides the one above that will clue in the
>>clueless.
>
> The clueless don't read such links or they wouldn't be clueless. Even
> if they do read the recommendations, many of the tweaks are undone
> almost immediately after a hardware reset, operating system upgrade,
> or manufacturers "system restore" cerimony. Is eternal vigilance also
> the cost of security?

What are you going to do? If you push that reset button, then you have to
put everything back. And if one is doing an O/S upgrade or restore, then
one had better know the consequecnse of such actions. But many users
don't know.

>
>>If the machine has been compromised and the malware executed, it has
>>been compromised and no snake oil solution that has been spawned by
>>Gibson is going to stop it. If the machine has been compromised, a
>>PFW, host based network FW, router or FW appliance solution is not
>>going to stop malware and its outbound traffic initially.
>
> Make up your mind. Is the personal firewall like a lock and key
> barrier to access, or is it a burglar alarm that informs the user that
> they've been screwed? With user decision based PFW solutions,
> methinks the burglar alarm is the proper analogy. It doesn't really
> prevent access, but does inform the user that someone is trying to
> drill through the door. I have yet to see a PFW that does both
> adequately.

What's a FW personal or otherwise have to do with a user with the happy
fingers the clicks on unknown links or emails with attachments that leads
to the compromise of the machine? When the machine has been compromised,
the end-user had some involvement in it 99% of the time. If the machine
has been compromised it's compromised. One can have all the locks and
burglar alarms he or she wants. But if he or she opens the door and let's
it in, hey what can be said about it?


>
>>The key is to not allow the malware to reach the machine and practice
>>safe hex. The other key is to recognize dubious activities once the
>>machine has been compromised by using the proper tools and one looks
>>around for themselves from time to time and not depend solely on
>>solutions that can be circumvented and defeated.
>
> I get far too few calls from customers asking for clarification of
> some of the pop-up messages deliverded by ZoneAlarm, MS Anti-Spyware
> beta 1, and other impediments to computing. Even I have to decode the
> cryptic mumbo-jumbo that some of these deliver in my face.
> Self-respawning spyware will create the same warning over and over
> until the user selects "accept" just to make the messages go away.
> Recovering from the wrong decision is also a common exercise on behalf
> of my customers.

It's snake-oil in the solution.


>
>>I do use the tools in the link form time to time like Active Ports and
>>Process Explorer and look for myself and what is happening on the
>>machine.
>>http://tinyurl.com/klw1
>
> Nice article. One problem. The user would be expected to know and
> recognize the difference between normal and bogus processes and
> drivers. I can barely keep up on the myriad of driver names and would
> never expect a member of the GUM to be able to do the same.

Some users do have that savvy and that's why I post it hoping it will
help some.

>
>>No NAT router for home usage is running *true* FW software. It may be
>>using NAT and some other FW like features like SPI but its not running
>>FW software in the traditional sense.
>
> All stateful packet inspection does is offer the router a way to
> determine which side of the firewall a packet is coming from in order
> to prevent a WAN side attacker from spoofing an inside IP address.
> This is an important feature and very useful, but does not mean that
> firewalls that lack SPI are garbage. The same thing can be done with
> packet filters.
>
> The endless discussions on what features constitute a "true" firewall
> has wasted considerable time in the various networking newsgroups and
> mailing lists. There are some that suggest that anything that does
> not pass the ICSA Labs certification tests are worthless. I don't
> know (or care). I have very few problems dealing with attacks
> originating from the internet with common cheap NAT routers. Well, I
> do have some problems from the internet with users that do
> considerable port forwarding that point to flawed or insecure inside
> services. I just had the web server on my weather station
> successfully compromised by an attack from the internet because I was
> one version behind on updates and fixes.

> Anyway, I consider the
> typical NAT firewall to be good enough, even without SPI, ACL's, and
> certification. However, setting up a DMZ defeats all the protection
> and relies totally on the user decision based personal firewall, which
> I have almost no confidence in staying alive or secure.
>

That all depends on what the needs are for a given situation if a NAT
router is good enough.


>>Of course you have some high-end NAT routers that come close to being
>>a FW appliance but they are not running true FW software. And you can
>>use a NAT router as a border device considered to be a total FW
>>solution designed to protect a network.
>
> I'll resist the temptation to ask what features are missing in a cheap
> NAT router that are required for a "true" firewall. I can list a
> considerable number of protocols and features that a typical Cisco
> router supports, but how many of those features are useful for the
> average home user, and how many of them are comprehensible by the user
> or even the installer? Adding features do not necessarily equate to
> better security.

Well I won't resist.

I'll get around again to opening Web services on one of my machines to
the public Internet. I want the insurance that if I port forward port 80
to an ip/machine that only HTTP traffic is going to come down that port
or FTP only down the FTP ports.

If I need to block a particular IP from accessing my site that I can set
a rule that blocks that IP at the border.

If it so happens that one of my machines is compromised by malware, that
I can set rules to stop outbound to the remote IP until such time that I
can find the compromise.

Nor do I want that machine to be able to access other machines on the
network so I set rules to block outbound from that machine, if need be.

I want the client/server model broken by the FW that allows a direct
connection to be made between the two endpoints.

I don't want probes that came through the NAT router at SQL Server
running on the machines to reach them with all ports on the NAT router
closed by default, like a hot knife through butter.

But that just my needs and other users don't have my needs.


>
> I guess I cheat. Our neighborhood LAN uses a Cisco 2514 router (with
> the fan ripped out so I don't have to listen to the noise). My local
> ISP's free wireless setup uses a Cisco 2611 router. It turns out that
> the most useful features of these "true" routers are SNMP management
> for traffic monitoring, bandwidth management, and ACL's for security.
>
>>A NAT router for home usage is good enough in the home protection by
>>not forwarding unsolicited requests to the network, until one starts
>>doing high risk things like *port forwarding*.
>
> Well, isn't that what you suggested is acceptable for dealing with
> brain dead protocols like H.323 and Netmeeting? In my never humble
> opinion, the problem is not the inability of the router to deal with
> badly writting protocols, but the protocol itself. Dump the
> application and get something that works (i.e. SIP based messageing).

Well the OP has the following resolutions:

1) The OP can open all the ports that are needed for Netmeeting
2) The OP can get an H.323 compliant router.
3) The OP can put the machine into the DMZ protected properly and use
Netmeeting.
4) The OP can use something else other than Netmeeting.

Either way, it makes no difference to me as it's not my problem and
anything else is a moot. ;-)

>
>>If the NAT router cannot meet the specs in the link for *What does a
>>FW do?*, then it's not an appliance that's running *true* FW software.
>>However, some high-end NAT routers come very close to being a FW
>>appliance.
>
> I haven't seen too many that will do ACL's or accept X.509
> certificates for authentication. Few will terminate an IPSec or PPTP
> VPN. Monitoring is at best a limited joke. Per-user keys,
> authorization, and authentication are rarely found in these low end
> boxes. I don't think they come close to what's needed for my vision
> of proper security.
>
>>http://www.vicomsoft.com/knowledge/r...irewalls1.html
>
> Nice article on firewall technology. I don't know any cheapo NAT
> routers that also have an applications level gateway or per-session
> authorization. In most cases, a SOCKS5 proxy server configure
> individually for each allowed service type would be more secure than
> any attempt to turn a cheap NAT router into a "real" firewall.

It's only a link to FW technology for those who are reading the posts
between you and I in the hopes that someone may need to know the
difference between a NAT router for home usage and FW appliances that may
have other needs or other plans for their home networking situation like
(throwing up a Web server) -- a whole different topic. ;-)

There are affordable low-end FW appliances that are being made for the
SOHO consumer.

>
>>Here is the NAT router for home usage with FW *like* features.
>>http://www.homenethelp.com/web/explain/about-NAT.asp
>
> Wrong link. It's an explanation of NAT.

And some people assume that because they have NAT on a router that it's
FW software and it's not. NAT is a *natural* FW is some statements I have
gotten back. My low-end FW appliances has NAT too. ;-)

>
>>Here is some more good info about FW(s).
>>http://www.more.net/technical/netserv/tcpip/firewalls/
>
> Nice article. Doesn't really cover VPN issues but that's in another
> article. Doesn't mention authorization or authentication, end to end
> encryption, and wireless but those are possibly seperate topics.
>
>>If I were going to do a machine direct connect to the Internet, the
>>O/S would be harden to attack. You can even knock out the share
>>exploit too on an Win 9'x and ME O/S by disabling F&P service if it's
>>not needed. The same would apply for me if I were to put a machine
>>into the DMZ that I apply the security features that were on the O/S
>>and implement a PFW solution and know how to user it properly.
>
> I can debate the point but I think I covered my main points previously
> in this rant. The basic criteria for me is:
> 1. Can the manufacturer deliver a secure out of the box system?

It will never happen.

> 2. Can the manufacturer deliver a means of insuring that it stays
> secure? Is the security level verifiable?

It will never happen.

> 3. Can the manfuacturer minimize the number and level of user
> decisions necessary to maintain the system?

It will never happen.

> 4. Can intrusions be effectively detected and blocked both in real

> time and after the fact?

Not with most NAT routers.

>
> By the above criteria, most cheap routers are "good enough" but not
> far from what I consider acceptable. I can find solutions that meet
> all the above, but my customers frequently cannot bear the cost or
> inconvenience. Perhaps instead of a "true" firewall, the correct term
> would be a "useful" firewall.

Well it all depends on the needs of the user. Some users even in a home
situation need more than what a NAT router can provide, but some don't
know that and settle on the NAT router thinking it's a FW based on the
hype that manufactures call these appliances FW solutions and they are
not that.

>
>>But for the most part, I just keep the machines behind the protection
>>of the FW appliance and have done a couple of things for the time
>>being to harden the NT based O/S to attack.
>
> Summary: Agreed. It's better than nothing. However, it's like my
> previous rant on multiple layers of encryption technology being used
> to fix the defects of the underlying encryption layers. Adding
> multiple firewalls in series to form an obstacle course will do wonder
> for attacks originating from the internet, but won't do anything for
> an attack from the LAN or downloaded via a rogue web pile or email.
> Therefore, the value of a fancy firewall solution is limited by how
> well the operating system and personal firewall can defend the system
> against local LAN based attack.

The reality is nothing can be done behind the wall and one can run all
the little bells and whistles on them. Most people home users or
otherwise don't do what it takes to secure the LAN O/S or otherwise.

> My contention is that due to the
> inadequacies and limitations of user decision based firewall
> solutions, the usefulness of a personal firewall is rather limited.
>
> Bottom line: Dump Netmeeting and get something that doesn't demand
> that the NAT firewall be essentially disabled.

NAT is not FW software.

<snip>

Impostors

When discussing firewalls, packet screening methods, and how firewalls
function, there are a few misconceptions that need to be addressed.
Network Address Translation (NAT)

One technology that is commonly thought to act as a firewall solution is
Network Address Translation (NAT). NAT translates "internal" IP addresses
on one network to "external" IP addresses on another network. There are
three methods NAT uses to accomplish address translation.

*

Static NAT - maps a specific single address to another specific
single address.
Example:
10.0.0.1 -mapped to- 168.13.1.1

*

Pooled NAT- dynamically maps all specific single addresses to a
pool or range of external addresses.
Example:
10.0.0.1-10.0.0.254 -mapped to- 168.13.1.1-168.13.1.254

*

Port Level NAT- dynamically maps all specific single internal
addresses to a specific single external address. The internal address is
mapped or identified by the specific external address in combination with
a unique port number.

Example:
10.0.0.1 -mapped to- 168.13.1.1:1084
10.0.0.2 -mapped to- 168.13.1.1:1085
10.0.0.3 -mapped to- 168.13.1.1:1086

By comparing the way NAT functions between two networks, and the way
packet screening methods function between two networks, you can see that
NAT does not adhere to the firewall definition. NAT does not control
access between the networks. Some may argue that NAT does control access
because you cannot "see" the internal network. NAT does this not by using
rules or filters, however, but through concealment. It hides the network
from outside users.

<snip>

However, a NAT router is good for some but not good enough for others and
it all depends on the needs of the user.

The discussion about a NAT router has been held more than a few times in
the Firewall and Security NG(s).

You should drop a line in one of them about it.

Duane