Hardening Win 2K Pro

  • Thread starter Thread starter null
  • Start date Start date
Unless you explicitly forward the ports, though, any incoming setup
packets will just be dropped and are therefore not the risk you
suggested.
Click to expand...

So you're saying my hardened machines don't need the firewall?
The same reason it is more secure to work behind the router than to
connect your 'hardened' machine directly to the Internet.
Click to expand...

I fail to see why. Incoming packets to closed ports are dropped aren't
they? It's always best to disable all unnecessary/unwanted services.

There is the issue of stack overrun vulnerabilites that unpatched Win
98 has. But even that is unlikely to cause problems in the short time
it takes to download and install critical patches. I ran the PCFlank
Exploits test on patched '98 and 'ME machines, as well as Win 2K Pro,
and they come through fine.

Art



http://home.epix.net/~artnpeg
 
So you're saying my hardened machines don't need the firewall?
Click to expand...

Yes.

It could be useful if you do some port forwarding and then want to
restrict access to (say) a range of external ip's but in your current
situation the router's not dropping anything which wouldn't be dropped
anyway if the firewall was disabled.
I fail to see why. Incoming packets to closed ports are dropped aren't
they? It's always best to disable all unnecessary/unwanted services.
Click to expand...

I'm not saying your machine isn't secure. Only that it's better not to
receive any unwanted packets at the business end than to filter them
out. I would still use the router even with a single pc.


Jim.
 
I'm not saying your machine isn't secure. Only that it's better not to
receive any unwanted packets at the business end than to filter them
out. I would still use the router even with a single pc.
Click to expand...

There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.

If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.

There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.

I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
Bob said:
There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.
Click to expand...

That's if you have not open ports on the router using port forwarding. If
port forwarding or triggering is being used, then unsolicited inbound
packets can reach a machine. And since it's a NAT router, then most likely
it will not ensure that only the File Transfer Protocol comes down the FTP
ports rejecting all other protocols.
If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.
Click to expand...

Malware can circumvent and defeat all of it particularly at system boot,
since Kerio is not an intergrated O/S component that can get to the TCP/IP
first at boot or its App Control can start to stop a program.
There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.
Click to expand...

It's just everyday life on the Internet. It's good that you at least watch
the in/out traffic on your LAN. Wallwatcher could miss malware connections
too while the computer is booting before WW can start reporting router
traffic. I like WW and I use it too.
I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.
Click to expand...

Attacks can be run against a NAT router. I have seen a couple of probes come
through at SQL Server like a hot knife through butter.

However, the NAT router is good for a home LAN by not forwading unsolicsted
inbound traffic and one is not doing high risk things like port triggering.

Duane :)
 
Bob wrote:
[snip]
The number one defense is NAT. There is no reason to turn it off.
Click to expand...

apparently someone doesn't understand the words coming out of my mouth
(errr keyboard, whatever)...

when you're debugging a connectivity problem there *IS* a reason to turn
it off - it might be the cause of the connectivity problem...
 
That's if you have not open ports on the router using port forwarding.
Click to expand...

I have no ports forwarded. Road Runner blocks many ports so I can't
put a server on my machine anyway,
If port forwarding or triggering is being used, then unsolicited inbound
packets can reach a machine. And since it's a NAT router, then most likely
it will not ensure that only the File Transfer Protocol comes down the FTP
ports rejecting all other protocols.
Click to expand...

It is my understanding that Linksys uses passive FTP.
Malware can circumvent and defeat all of it particularly at system boot,
since Kerio is not an intergrated O/S component that can get to the TCP/IP
first at boot or its App Control can start to stop a program.
Click to expand...

Kerio does load well before anything else. I believe it gets around
the problem you described but I cannot offer any support for that
claim. This used to be a big issue with ZA until they fixed it, so
they claimed.
It's just everyday life on the Internet. It's good that you at least watch
the in/out traffic on your LAN. Wallwatcher could miss malware connections
too while the computer is booting before WW can start reporting router
traffic. I like WW and I use it too.
Click to expand...

Can't the personal firewall check all connections periodically, even
after boot and thereby catch any malware agent?


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
Bob said:
I have no ports forwarded. Road Runner blocks many ports so I can't
put a server on my machine anyway,
Click to expand...

That's not the point. The point is that packest can reach a machine if the
packest have not been solicited by a machine behind a router.
It is my understanding that Linksys uses passive FTP.
Click to expand...

What's passive FTP have to do with a Linksys router or any NAT router
ensuing that the proper protocol comes down a port, like only the HTTP
protocol can come down port 80 rejecting any other protocol coming down the
port or only the FTP can come down ports 20 and 21 rejecting any other
protocol coming down the port? That would come into play in using port
forwarding of 80, 20 and 21 to an IP/machine behind the router running
those services. Most NAT routers for home useage cannot ensure it.
Kerio does load well before anything else. I believe it gets around
the problem you described but I cannot offer any support for that
claim. This used to be a big issue with ZA until they fixed it, so
they claimed.
Click to expand...

I doubt that Kerios is getting to that TCP/IP connection at boot, unless you
somehow were able to hack the service Dependencies and somehow told TCP/IP
that it couldn't start without Kerio being started first. The only PFW
solution that can get there first and protect the TCP/IP at boot is XP's
FW, since it is an intergrated O/S component.
Can't the personal firewall check all connections periodically, even
after boot and thereby catch any malware agent?
Click to expand...

Before the boot, the damage may have been done as packages may have already
left the machine. Sometimes malware is looking for a host to run with like
svchost.exe and use it. So you stop svchost.exe from making a connection
only to turn around and allow svchost.exe to connect for another legit
reason. What happened to the reason it was being stopped as it didn't go
anywhere? It's seems that App Control is somewhat affective as long as one
doesn't boot the machine.

Duane :)
 
It is my understanding that Linksys uses passive FTP.
Click to expand...

You probably mean you have to use passive FTP to traverse your own nat
router. That is nothing to do with the router itself which isn't
concerned with such protocols.

What he means is IF you are forwarding (say) port 80, which you
aren't, then a stateful inspection of the packets is more secure than
just forwarding everything with destination port 80 in the header,
which it is.

It might be perfectly in order for his network to employ such a
capable device, but he keeps recommending it to home users running no
servers.


Jim.
 
Unless you explicitly forward the ports, though, any incoming setup
packets will just be dropped and are therefore not the risk you
suggested.
Click to expand...

Here's link to something on the alleged security issue:

http://itvibe.com/news/2592/

It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.

Art

http://home.epix.net/~artnpeg
 
Bob said:
There is no way a packet initiated on the gateway can get to your
machine if you employ NAT because your machine's IP address is
unroutable over the Internet. A packet addressed to your machine never
gets out of its gateway onto the Internet to begin with. Of course
that assumes you use one of the several unroutable addresses for your
machine, but that goes without saying.

The only way a packet can reach your machine is if it is a reply to a
packet sent by your machine. That's where Kerio Personal Firewall
comes in. It monitors every application that attempts to set up a
network connection in your machine and if it is not approved by you,
the application can't send the request packet to begin with, and
therefore there is no response possible from the gateway.

If you have set up your NAT router and your personal firewall
properly, it is bulletproof in terms of alien packets getting in or
out of your machine. That leave things like attachments which are
otherwise legitimate packets - and that's where your AV comes in, and
hopefully your ISP too, both of which are supposed to filter viruses.

There is a nifty logging utility for the Linksys BEFSR41 called Wall
Watcher. If you turn it on you can see all the crap trying to get into
your machine. It's incredible the number of attacks that are out
there.

I fully agree with you - it is much better to have a NAT router stop
that crap before it gets anywhere near your machine.
Click to expand...

I agree too - but having these things should not be a substitute for
learning how to properly configure (harden) your machine.
 
James said:
You probably mean you have to use passive FTP to traverse your own nat
router. That is nothing to do with the router itself which isn't
concerned with such protocols.

What he means is IF you are forwarding (say) port 80, which you
aren't, then a stateful inspection of the packets is more secure than
just forwarding everything with destination port 80 in the header,
which it is.

It might be perfectly in order for his network to employ such a
capable device, but he keeps recommending it to home users running no
servers.
Click to expand...

I am only explaining the short comings of a NAT (no FW) router. I don't
recall recomending any anything to anyone. And I am God damn tired of you
interpresting what the HELL I am saying.

Duane
 
Here's link to something on the alleged security issue:

http://itvibe.com/news/2592/

It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.
Click to expand...

I just did some Googling on the name "Alan Rateliff II" and found a
wealth of stuff on this issue with the WRT54GS wireless router. Here's
just one of many urls:

http://www.linksys.com/download/firmware.asp?fwid=201

which is a d/l for firmware version 3.03.6 which, according to
Rateliff, Cisco now (finally) claims fixes the problem.

Rateliff elsewhere points out a workaround. He says you can port
forward 80 and 443 to non-existant hosts in order to protect your
configuration from hackers.

Art

http://home.epix.net/~artnpeg
 
Bob wrote:
[snip]
The number one defense is NAT. There is no reason to turn it off.
Click to expand...

apparently someone doesn't understand the words coming out of my mouth
(errr keyboard, whatever)...

when you're debugging a connectivity problem there *IS* a reason to turn
it off - it might be the cause of the connectivity problem...
Click to expand...

Oh, cut it out. I obviously meant there is no reason to turn it off
under normal operating conditions. Most people do not know how to
"debug a connectivity problem".


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
That's not the point. The point is that packest can reach a machine if the
packest have not been solicited by a machine behind a router.
Click to expand...

Not unless you poke a hole. I have no holes.
What's passive FTP have to do with a Linksys router or any NAT router
ensuing that the proper protocol comes down a port,
Click to expand...

You will have to look that up for yourself because you will not accept
anything I tell you. Check out the router forums.

like only the HTTP
I doubt that Kerios is getting to that TCP/IP connection at boot, unless you
somehow were able to hack the service Dependencies and somehow told TCP/IP
that it couldn't start without Kerio being started first.
Click to expand...

How do you know that Kerio has not done that? When Windows comes up it
is the first item before any of the installed services. If the tray
networking icon is any indication of when TCP/IP is started, it is a
while *after* Kerio has been started.
The only PFW
solution that can get there first and protect the TCP/IP at boot is XP's
FW, since it is an intergrated O/S component.
Click to expand...

Then why does the Kerio splash screen show up well before the
networking tray icon.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
I am only explaining the short comings of a NAT (no FW) router. I don't
recall recomending any anything to anyone. And I am God damn tired of you
interpresting what the HELL I am saying.
Click to expand...

That's the only way anyone can figure out what you are trying to say.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
Egan you are an absolute ****ing ass-wipe.
Click to expand...

You have just made yourself irrelevant with that violent attack.

You need to learn some mature mechanisms to cope with your
uncontrolled aggression.

From this time on, no reasonable person is going to pay any attention
to you.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
It's claimed that with the router firewall disabled, the router's
configuration is accessable. Now, this article is a bit old, and I
haven't found anything more recent. My firmware rev is at
2.07.1 and they are talking much earlier revs. I dunno if there's a
real issue here or not, but I certainly wouldn't use the damn thing
with the firewall disabled until I find out.
Click to expand...

There was a period back several years ago when the Linksys BEFSR41was
trying to get SPI working that they introduced some vulnerabilities
into the firmware. It took a long while to get it all sorted out. I
know because I was an official Linksys beta tester and I corresponded
with the development engineers at the time.

The last firmware revision I installed is an old one that we were told
was stable. It is 1.42.6. I have had no reason to change. I believe
you still have to disable SPI if you want to forward any ports.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
I agree too - but having these things should not be a substitute for
learning how to properly configure (harden) your machine.
Click to expand...

I have a problem with tinkering with Windows - there are apps which
use certain ports and if you block them the apps won't work. I prefer
to create an alert in Kerio and discover first hand who's using what
port.

--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge
 
Bob said:
You have just made yourself irrelevant with that violent attack.

You need to learn some mature mechanisms to cope with your
uncontrolled aggression.

From this time on, no reasonable person is going to pay any attention
to you.
Click to expand...

Look, Egan and I have been at for quite awhile and I really don't care what
you think about it.

And let me be blunt about it, take the router and stick up ass. ;-)

Duane :)
 
Back
Top