NAT and firewall tests

[ToddAndMargo]

Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

Many thanks,
-T

 

[Tom [Pepper] Willett]

Hope not.

: Hi All,
:
: I would like to test my firewall, but have a NAT box
: between me and the various firewall tests I know
: of. Anyone know of a firewall test that shoots
: through NAT?
:
: Many thanks,
: -T

 

[Leonard Grey]

Just about any firewall test will 'shoot through NAT.'

Network Address Translation prevents an unsolicited attempt at
discovering your IP address. However, when you initiate contact with a
website--as in 'I want you to test my computer'--you're telling the
router to let the response into your network.

Firewall tests are directed at software firewalls.

 

[ToddAndMargo]

Just about any firewall test will 'shoot through NAT.'

Hi Leonard,

Would you name one?

Many thanks,
-T

 

[ToddAndMargo]

Hope not.

It is pretty easy. The bad guys just guess at
your internal off Internet address. They love
internal networks like 192.168.0.0/24. It
is the default on a lot of routers and they take
great advantage of it.

Recommendation: pick an internal address other
than 192.168.0.0/24 or 192.168.1.0/24. Makes
it much harder to find.

NAT is *NOT* a firewall.

-T

 

[Leonard Grey]

The address 192.168.0.1 is not routable.

 

[John John - MVP]

It is pretty easy. The bad guys just guess at
your internal off Internet address. They love
internal networks like 192.168.0.0/24. It
is the default on a lot of routers and they take
great advantage of it.

I don't think that is how NAT works. Furthermore, most but the cheapest
of routers can operate in stealth mode.

John

 

[ToddAndMargo]

I don't think that is how NAT works. Furthermore, most but the cheapest
of routers can operate in stealth mode.

stealth mode is not NAT.

 

[ToddAndMargo]

---

Leonard Grey
Errare humanum est

The address 192.168.0.1 is not routable.

Correct. It is slapped on your outgoing SYN packet
behind your public IP. This is how the NAT router
knows who to route return responses. The bad guys
just duplicate this (guess a lot).

-t

 

[Leonard Grey]

"...(guess a lot)."

Yes, you do.
---
Leonard Grey
Errare humanum est

---
Leonard Grey
Errare humanum est

Tom [Pepper] Willett wrote:
Hope not.

It is pretty easy. The bad guys just guess at
your internal off Internet address. They love
internal networks like 192.168.0.0/24. It
is the default on a lot of routers and they take
great advantage of it.

Recommendation: pick an internal address other
than 192.168.0.0/24 or 192.168.1.0/24. Makes
it much harder to find.

NAT is *NOT* a firewall.

-T

The address 192.168.0.1 is not routable.

Correct. It is slapped on your outgoing SYN packet
behind your public IP. This is how the NAT router
knows who to route return responses. The bad guys
just duplicate this (guess a lot).

-t

 

[rustyfender04]

Pardon my highjack here, but doesn't your IP address change if reboot your
computer, or disconnect from web? I'm referring to a DSL connection.

If so, would that provide some kind of security in itself?

 

[Shenan Stanley]

Pardon my highjack here, but doesn't your IP address change if reboot your
computer, or disconnect from web? I'm referring to a DSL connection.

If so, would that provide some kind of security in itself?

Your IP is unlikely to change with such ISPs (DSL, Cable Modem, etc) for
several hours (even turning off your machine, not just rebooting.)

This is because the ISP likely uses a DHCP server to give out IP addresses -
and there is a 'lease time' of some length. So if their lease time is 24
hours and you grab that IP (or have just renewed that IP) and then turn off
the machine - you could turn your machine on anytime in the next 24 hours
and you would get the same IP - barring any incident on the ISPs side.

(24 hours is an example lease time - it could be anything.)

As far as a changing IP provding some sort of security - depends on what you
are supposedly protecting yourself against. Random drive-by attacks (much
more common) won't care that you changed your IP never or an hour ago.
Sure - it might help with a focused attack on you - but only for a very
short period of time if the attacker has any sort of useful skills
whatsoever.

 

[Tom [Pepper] Willett]

Shenan: Just FYI..home DHCP IP address has remained the same for 8 years
without changing under any circumstances.

Tom
: rustyfender04 wrote:
: > Pardon my highjack here, but doesn't your IP address change if reboot
your
: > computer, or disconnect from web? I'm referring to a DSL connection.
: >
: > If so, would that provide some kind of security in itself?
:
:
: Your IP is unlikely to change with such ISPs (DSL, Cable Modem, etc) for
: several hours (even turning off your machine, not just rebooting.)
:
: This is because the ISP likely uses a DHCP server to give out IP
addresses -
: and there is a 'lease time' of some length. So if their lease time is 24
: hours and you grab that IP (or have just renewed that IP) and then turn
off
: the machine - you could turn your machine on anytime in the next 24 hours
: and you would get the same IP - barring any incident on the ISPs side.
:
: (24 hours is an example lease time - it could be anything.)
:
: As far as a changing IP provding some sort of security - depends on what
you
: are supposedly protecting yourself against. Random drive-by attacks (much
: more common) won't care that you changed your IP never or an hour ago.
: Sure - it might help with a focused attack on you - but only for a very
: short period of time if the attacker has any sort of useful skills
: whatsoever.
:
: --
: Shenan Stanley
: MS-MVP
: --
: How To Ask Questions The Smart Way
:
:
:

 

[Nate Grossman]

Pardon my highjack here, but doesn't your IP address change if reboot your
computer, or disconnect from web? I'm referring to a DSL connection.

If so, would that provide some kind of security in itself?

Possibly... especially for those who don't have their systems up and
running 24x7.

What about those folks who never disconnect (broadband connections are
"always on" in most cases) and who only reboot when things get messed
up? My computer is on for days on end - sometimes weeks.

 

[rustyfender04]

Your IP is unlikely to change with such ISPs (DSL, Cable Modem, etc) for
several hours (even turning off your machine, not just rebooting.)

This is because the ISP likely uses a DHCP server to give out IP
addresses - and there is a 'lease time' of some length. So if their lease
time is 24 hours and you grab that IP (or have just renewed that IP) and
then turn off the machine - you could turn your machine on anytime in the
next 24 hours and you would get the same IP - barring any incident on the
ISPs side.

(24 hours is an example lease time - it could be anything.)

Shenan Stanley
MS-MVP

Well, come to think of it, since I started my DSL service back in January of
this year, there were times that I was having to use XP's dial-up networking
to go online. That is, my modem's auto-connection was not working, and I
wasn't the wiser. This had happened two, maybe three, times. After much head
scratching, I decided to enter my DSL modem's address in my browser, and the
sign-in page popped up. After signing in, my DSL modem was able to
auto-connect to the web without having to use dial-up networking.

When I say dial-up networking, I am not referring to dial-up service. I am
referring to the shortcut that my ISP instructed me to make. I'm not really
sure what it's called, maybe it's XP's PPPoE client or something.

With that said, I presume my DSL modem is doing the PPPoE as long as it
connects automatically?

Sorry if I sound confusing at times, I am not new to computing, but I am new
to broadband.