NAT Security

[Guest]

I have a Win2K box used as a router / gateway to the internet which also hosts my exchange server, this is enabled with RRAS with NAT ? How secure is this ? When I do a port scan it seems quite secure with only a few ports open. eg 25 , 3387, 110 etc and a few more how can I block say 139 Netbios port .... is NAT just dependent on the services running on that box ? And how secure is this solution ?

 

[Steven L Umbach]

NAT or basic firewall as it is also called in Windows 2003 provides about the same
level of security as the basic NAT routers you can purchase at Best Buy, etc. For
many or most users connected to the internet, NAT is adequate. It [W2K NAT] does have
some shortcomings in that it does not have the ability to control outbound traffic,
has very limited if any useful logging or intrusion detection, and does not have the
advance stateful packet inspection SPI feature that many of even the low priced
firewalls, such as the Netgear ProSafe line, use. I think at today's prices it makes
sense to use a hardware firewall for the extra protection and features. You can buy
a Netgear ProSafe device for around $70 for a small office/home use. If you need more
throughput and more advanced features including the ability to create a large number
of rules then you may want to look at the lower priced devices from places like Sonic
Wall or Netscreen where you will probably need to spend $300 - $400.

Of course a firewall is only one part of protecting your network that also would
include virus protection, patch management, system hardening, auditing, and password
policy as other major issues to cover. You mention netbios port 139. I hope that was
not showing on your port scanning. An external firewall would protect access to those
ports. You should also make sure that file and print sharing is disabled on the
server if it is not needed and if it is, be sure to disable it on the nic that faces
the internet. You mention port 3387 ? If you meant port 3389, then you have Terminal
Services open to the internet. NAT will not allow you to restrict access from only
certain internet addresses to use Terminal Services which would allow hacking
attempts from anyone who discovers your open port. A firewall should be able to
restrict inbound access to that port based ip addresses you configure as being
allowed.-- Steve

I have a Win2K box used as a router / gateway to the internet which also hosts my

exchange server, this is enabled with RRAS with NAT ? How secure is this ? When I do
a port scan it seems quite secure with only a few ports open. eg 25 , 3387, 110 etc
and a few more how can I block say 139 Netbios port .... is NAT just dependent on the
services running on that box ? And how secure is this solution ?

 

[Guest]

Thanks for that I will be looking into Firewalls but it was just a quiestion to see how secure it would be... Looking at the port scan again it looks to be very insecure I have also ports 21, 389, 80, 110, 119, 135, 139, 143, 443, 548, 993, 995, 3389 open , I dont have anything enabled on the External Card but do host a web site, dns, pop, smtp, and terminals services, how easy would it be for someone to hack the system ?
I do realise that a Firewall is the ideal solution, but just about anything is hackable if they want !!
Is there any way i can close some of the unwanted ports thru fliters etc in NAT ???
Thanks,
Todd

 

[Steven L Umbach]

Well, I may have spoke too soon about NAT as far as not being able to control
outbound access. I have never tried it myself for NAT but in Remote Access Management
console under IP routing/general you can select an interface and then select
properties/general where you have a choice to create input and output filters.

You are correct if that scan was done on your internet interface from a site like
http://scan.sygatetech.com/ then you are vulnerable with file and print sharing
ports available to the world. It seems as if you do have file and print sharing
enabled on the external card. I don't necessarily agree that just about anything is
hackable if they want, nor do I leave the front door on my house unlocked since they
would be able to get in if they really wanted to anyhow. Other ways to filter ports
are ipsec filtering or ip filtering, though these are no meant to be substitutes for
a firewall. If you look into ip filtering, udp will not work if you need dns name
resolution but tcp should work for you. Ip filtering can block only inbound access
where ipsec can do both. If you use ipsec filtering, you would want to start with a
block all mirrored ip rule, then add an exception rule for your lan and then a
mirrored rule for allowed inbound ports. --- Steve

http://www.securityfocus.com/infocus/1559
http://support.microsoft.com/default.aspx?scid=kb;en-us;309798

Thanks for that I will be looking into Firewalls but it was just a quiestion to see

how secure it would be... Looking at the port scan again it looks to be very insecure
I have also ports 21, 389, 80, 110, 119, 135, 139, 143, 443, 548, 993, 995, 3389 open
, I dont have anything enabled on the External Card but do host a web site, dns, pop,
smtp, and terminals services, how easy would it be for someone to hack the system ?

 

[Karl Levinson [x y] mvp]

Note that NAT does NOTHING to protect the ports on the Windows server doing
the NAT. That server is wide open and waiting to be hacked or infected.
What you are seeing in your port scans are the ports on the server itself.
And once someone hacks your server, they can access your internal network.
There's also zero capability for logging, so if you're hacked or your
network connection starts getting slow due to bandwidth use, you've got no
idea who hacked you.

NAT on a hardened device such as a firewall or NAT router is somewhat more
secure than NAT on a Windows 2000 router connected directly to the Internet.

There are free firewalls out there, including www.kerio.com, www.sygate.com,
and linux firewalls [some of which may be easier to use than you think]

http://securityadmin.info/faq.asp#firewall

Thanks for that I will be looking into Firewalls but it was just a

quiestion to see how secure it would be... Looking at the port scan again it
looks to be very insecure I have also ports 21, 389, 80, 110, 119, 135, 139,
143, 443, 548, 993, 995, 3389 open , I dont have anything enabled on the
External Card but do host a web site, dns, pop, smtp, and terminals
services, how easy would it be for someone to hack the system ?

I do realise that a Firewall is the ideal solution, but just about

anything is hackable if they want !!

 

[Guest]

Thanks for the great information, I have noticed that the Netbios Port is open and that this is a very dangerous, but I'm not too dure what could be causing this, as on the external interface I have nothing enabled except for IP address , but port 139 is open ? and i have also noticed that port 135, 137, 138 are open on my ftp server , could Windows services for Macintosh have something to do with this ? I have just taken over this network and I'm trying to get a firewall in here but just want to be secure ASAP...

Thanks for everyones help

 

[Steven L Umbach]

If file and print sharing is not needed on that computer then uninstall it instead of
simply disabling it. You can also disable netbios over tcp/ip in the tcp/ip
properties/advanced/wins tab of a network adapter. I think the Mac service uses
Appletalk, but I may be wrong. If you don't want to use a personal firewall, then I
would suggest implementing ipsec filtering ASAP. Good luck. --- Steve

Thanks for the great information, I have noticed that the Netbios Port is open and

that this is a very dangerous, but I'm not too dure what could be causing this, as
on the external interface I have nothing enabled except for IP address , but port 139
is open ? and i have also noticed that port 135, 137, 138 are open on my ftp server ,
could Windows services for Macintosh have something to do with this ? I have just
taken over this network and I'm trying to get a firewall in here but just want to be
secure ASAP...