Bottom up security in Security

Bottom up security in Security http://www.dslreports.com/forum/r9720559 en Wed, 20 Aug 2008 21:06:47 EDT Wed, 20 Aug 2008 21:06:47 EDT what the heck sort of SPI does BEFSR-41 have? http://www.dslreports.com/forum/remark,9899252 anon : I've got a BEFSR-41 facing the world, and a proper wall containing the DMZ.

Every now and again, the BEFSR passes through attacks against my LAN addresses (I don't have NAT on the second wall as I want the DMZ boxes to see the (reverse-DNS-walled) internal addresses). The attacks bounce off the second wall and settle down in the logs.

No attacks against non-existent LAN addresses take place, so this is not the case of the ISP routing heaps of destination spoofed packets to me. The blame lies squarely in some lameness in the BEFSR SPI / NAT.

I have little trust in this device, after finding SYN packets for SQL Server ownage in the logs. Also, I remember being able to get the router into a weird state whereby it would allow pings through, for a few seconds, and then block them again.

In all, this thing is allright as a quick and dirty approximation to a wall, but given the logs I think it should be considered compromised. It's stable, never crashes, etc.. but it appears possible to craft packets that fool its SPI into passing them along. So much for the Linksys.]]> http://www.dslreports.com/forum/remark,9899252 Wed, 07 Apr 2004 04:20:11 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9793889 jvmorris :

said by Bobby_Peru :
Hi Joseph, . . .
The NATie/SWF (oh jah, what a concept) IP customer has incurred the cost of providing protection for _both_ herself and as an added benefit, protection for the network. While it's not the IP's fault that the pinheads and nasties abound (unless they are on the IP and the IP...but that is another issue), don't they derive some benefit from this? If so, shouldn't this be factored into the "overall cost" equation?

Oh, certainly. The ISP definitely derives an advantage from anyone running a properly configured NAT router or even software firewalls at the end of the pipe. But that's a far cry from then expecting the ISP to provide tech support for either when things go belly up.

A bit of a tangent here: For years, I ran multiple machines here behind a Microsoft ICS gateway (on this very box, no less), with each machine having its own software firewall. I must have spent hours (weekly) simply keeping this configuration running (and monitoring alerts when they occurred, which, honestly wasn't all that often here) -- and then I found a NAT router that also worked with dial-up.

At that point, all the PSFs went quiet. The only thing I see in the PSF logs these days are permitted comms that I choose to monitor out of pure inquisitiveness. And now I understand why the more knowledgable get a bad case of the sniggers when they read endless reams of posts (many of which have been mine) about properly configuring PSFs. My own NAT router (complete with dial-up support and basic SPI) cost me less than a one-year subscription for a PSF for one machine! Talk about feeling stupid! Incidentally, I still keep the various PSFs running -- just in case -- but it's been ages since I've found any need to do any configuration maintenance or log checking.

quote:
. . . I didn't mean IP's to do that, but that they should at least not request users to drop their protection for tech support, unless it is really needed, and to get behind NAT and SWF, instead of seeing it only as a negative to them (which I still do not believe it is). There should be a way to make it work, as it really seems to me to be win/win for all.

Quite frankly, what (if anything) you are likely to see from the ISPs is more likely to be integrated modem/NAT router combinations. Oh, they know people are going to run multiple PCs off the same subscription. Why not make it easy but still safe. And, more to the point, most ISPs' ToS/AUP are quite emphatic that their subscribers should not be running webservers, e-mail servers, news servers, IRC chat servers or whatever else may come to mind. Well, a NAT router (especially with no documentation :D ) is far more likely to resolve that issue that a PSF (which can then be screwed up) -- and it's likely to be a lower cost solution for the ISP!
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9793889 Fri, 26 Mar 2004 21:17:13 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9793816 TerryMiller : said by jvmorris

At this point, we could probably set up a poll on just how long this really cool, neatso-keeno PSF is going to remain enabled (and I haven't even got to installed yet) on your machine. Just guessing, I would assume no more than 24 hours, 48 hours, max.

Which is why I think SBC has it about right. The only thing lacking is pre-sales information on the subject of security. It shows up prominently after install for those wishing to configure their account.
The only problem I foresee is a lot of users being scared off by the additional requirements of setting up a nat router and anti-virus, or seeing their Garden of Eden turn into a snakepit.]]> http://www.dslreports.com/forum/remark,9793816 Fri, 26 Mar 2004 21:07:33 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9793705 jvmorris :

said by Zigcoors:
. . . This is why I believe that a responsible ISP should bundle a pre-configged software firewall with there Cable package - makes for easier troubleshooting / configuring. From a cost point of view it is probably cheaper for an ISP to employ Support Desk personnel than Highly Qualified Network Engineers needed to change core routers config to stop DOS attacks etc.

It's a good thought (and indeed I think an increasing number are actually doing this -- apparently Symantec, in particular, has gone out of its way to 'sell' this bundled stuff (or at least the 60-day trial version) to ISPs). Indeed, it may well self-install as part of the overall cable/DSL (but not necessarily for a dial-up ISP) installation. What happens next?

Well, if you've got a pre-installed PSF, everything is likely to go belly-up at this point. You're left with a very bad taste in your mouth (about both the ISP involved and the PSF involved). You're trying to run two PSFs at the same time. (Probably without your knowledge, I might add, since notification is not high on the list of priorities for such automated installs.)

Or, maybe they're so kind as to inform you what they are about to do and ask you to uninstall your previously installed and meticulous configured software firewall, which you understand like the back of your hand, of course. Well, this is going to go over like (I don't think I can finish this characterization without getting it blurped) ... If you think someone who's been using ZA/ZAP/ZA+ is suddenly going to switch to NIS/NPF (or vice versa) because of a decision made by their ISP, you've got another 'think' coming!

Maybe, (at some point), they go further (more than likely after their preferred PSF has been installed also), and they ask you which one you'd like to uninstall? Not too sure about ZAF/ZAP/ZA+ these days, but if you want to bet the kids on them being able to uninstall the other firewall, I can only wish you all the best.

Okay, now let's move over to the other end of the spectrum: you didn't have any PSF previously installed (not to mention the fact that you may have a NAT router that you 'forgot' to mention to the ISP, because you really want to run two or three PCs off the same subscription). Well, now you've suddenly got a PSF about which you know absolutely nothing and, amazingly, you can no longer get to »www.myfavoritefanswebsite.com (or whatever it may be) and that gorgeous collection of swimsuit shots from the annual issue of Sports Illustrated to which (ahhh, ahemm) you've become somewhat 'acculturated', shall we say.

At this point, we could probably set up a poll on just how long this really cool, neatso-keeno PSF is going to remain enabled (and I haven't even got to installed yet) on your machine. Just guessing, I would assume no more than 24 hours, 48 hours, max.
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9793705 Fri, 26 Mar 2004 20:53:40 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9793356 anon : "At the moment, there are at least seven versions of NIS/NPF alone in service (1.0, 2.0, 2.5, 3.0, 4.0, 6.0 and 7.0 -- never mind the updates to each version). Is it fair to expect an ISP to do trouble-shooting each version of each software firewall simply because the vendor is unwilling to provide timely, constructive support? I think not. (And I haven't even gotten to ICS or the NAT routers.)"

This is why I believe that a responsible ISP should bundle a pre-configged software firewall with there Cable package - makes for easier troubleshooting / configuring. From a cost point of view it is probably cheaper for an ISP to employ Support Desk personnel than Highly Qualified Network Engineers needed to change core routers config to stop DOS attacks etc]]> http://www.dslreports.com/forum/remark,9793356 Fri, 26 Mar 2004 20:21:23 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9793225 Bobby_Peru : Hi Joseph,

quote:
by now I must have seen several hundred incidents in which people have 'lost' their Internet connectivity only to regain it by disabling/uninstalling their existing software firewall (which obviously had been working fine.

I agree with you on the occurrences of "lost connectivity", but I was trying to say that Zulummar's description seemed overboard, especially concerning the repetitive "now, when this happens once every couple of months". But that probably happens, as well. It just hasn't seem to have bugged me or my circle...... so far....

I know what you mean about IP's wholesale demanding folks "drop-their-protection". We have all heard it. While I am no expert, there seems to be a time for that, and more times when it's not really needed to diagnose problems.

A year or three ago, in attempts at diagnosing repetitive connectivity issues, low tier Adelphia Tech support did get me to remove NAT, which, feeling that I had little choice, wanting to properly eliminate all possibilities, _and_ knowing that a Software Firewall was still in line, I did. More knowledgeable support didn't request/demand dropping any protection, and agreed that we were months past the point were they should have rolled a truck, replaced the Modem and really re-checked their wiring/splitters to get the problem solved. (They rolled, replaced the Modem, connections and splitters and solved the problem.)

quote:
no ISP in its right mind is going to pick up this cost when the vendor and retailer -- the parties who've actually profited from selling the software firewall/NAT router to the end-user refuse to do so. I mean, let's be real about this -- the vendor/retailer has the revenue, but the ISP is supposed to assume the support expense?

Very good point. Two comments:

The NATie/SWF (oh jah, what a concept) IP customer has incurred the cost of providing protection for _both_ herself and as an added benefit, protection for the network. While it's not the IP's fault that the pinheads and nasties abound (unless they are on the IP and the IP...but that is another issue), don't they derive some benefit from this? If so, shouldn't this be factored into the "overall cost" equation?

What if the Vendor's (with or without the Retailers) and the IP's hooked up, to promote NAT usage (SWF too, but it's more problematic) and "The Safe-hex Experience" (apologies to Mr. Hendrix and Smith). Devise funny paper clear user and CS instructions, sell lots more NATies, devise Support plan to address the inequity, and apply some of the increased profits from increased sales of NATies to Support.... OK, maybe not in either of our lifetimes (unless we include cryogenic "extension" in "our lifetime").

quote:
But, to expect an ISP to check the contents of every HTTP packet sent to each subscriber on line 24/7 to ensure that there's no malicious scripts -- well, that's going off into never-never land.

I didn't mean IP's to do that, but that they should at least not request users to drop their protection for tech support, unless it is really needed, and to get behind NAT and SWF, instead of seeing it only as a negative to them (which I still do not believe it is). There should be a way to make it work, as it really seems to me to be win/win for all.]]> http://www.dslreports.com/forum/remark,9793225 Fri, 26 Mar 2004 20:07:39 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9792710 dg2 : I'm thinking that a NAT router (hardware) would be a better way to go than the software-based firewall, if we're talking about a widespread rollout.

It would be easier to standardize, and probably harder to mess up (by the user, that is) than a software-based solution. Not that I'm down on software firewalls, but I've found my NAT router to be easier to use than the software-based wall I used to use. The only sign of connection trouble I've had was in videoconferencing with NetMeeting, and that was because I didn't forward any ports. Beyond that, it's been really good.

It also goes back to the idea of issuing a combination unit (like the Speedstream unit we have at the office, which is modem/NAT in one box)to the average user, so they automatically get that protection when the install the "modem".

(By the way - this has been a really good discussion so far.)]]> http://www.dslreports.com/forum/remark,9792710 Fri, 26 Mar 2004 19:20:53 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9792215 TerryMiller : As a pretty regular poster in the networking forum, I see a lot of problems with software firewalls and file sharing and the occasional corrupted tcp/ip stack that possibly could be caused by a bad firewall install.

The hardest part of nat/firewall box implementation is convincing someone to buy one. There are very few posts where the install goes wrong and the internet is inaccessible. There are some with slowdowns after the router is on a couple of days, which most probably is caused by buggy firmware.

Some ISP's are now charging a monthly fee for home networking, I assume to cover the extra support. Mine sells the hardware and supports it if you buy from them.

Also noted is SBC's "My Account" page, top center is a series of links to security with explanations of firewalls, antivirus, anti spyware, anti trojan, etc. These pages have links to free software.

]]> http://www.dslreports.com/forum/remark,9792215 Fri, 26 Mar 2004 18:34:18 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9792142 jvmorris : Bobby, this is a two-way problem.

said by Bobby_Peru :
[edit: In responce to Zulummar -anonymous- 65.202.123.x]

Tens of thousands (hundreds of thousands?) of people routinely utilize the protections you mention, including myself, and folks I know. On a personal level, as far as I know, no one that I know has had the problems as you describe.

Going (first) to Zulummar's comments, I don't know how you've managed to miss them, but by now I must have seen several hundred incidents in which people have 'lost' their Internet connectivity only to regain it by disabling/uninstalling their existing software firewall (which obviously had been working fine. I've seen these discussions in this forum and others like it and also in the various NNTP newsgroups. (Usually, of course, the individual in question then proceeds to dump their existing software firewall and get another one.) So, his fundamental comment contains at least a kernel of truth. Now, did their firewall mysteriously quit working? Did it get subverted? Did it get screwed up by some update that they subsequently installed? Did it get screwed (by them) by trying to "configure" it for a tighter configuration? I don't know. It's almost impossible to tell (since the software firewall in question is almost invariably disabled/removed by the time I start asking questions).
At the moment, there are at least seven versions of NIS/NPF alone in service (1.0, 2.0, 2.5, 3.0, 4.0, 6.0 and 7.0 -- never mind the updates to each version). Is it fair to expect an ISP to do trouble-shooting each version of each software firewall simply because the vendor is unwilling to provide timely, constructive support? I think not. (And I haven't even gotten to ICS or the NAT routers.)

But, you've got a point here, also -- and that's relating to the mindless statements of certain ISP tech support staffs that the user needs to disable their software firewall or NAT router in order to get complete functionality.

I remember a coupla experiences of my own.

In the first, Tech Support asked if I had a software firewall and I said yes I did. He said he couldn't help me unless I disabled it. I said "Okay", did absolutely nothing, and then waited about two minutes before I said "Okay, I've disabled it" -- and, at that point, the tech found out that there was a connectivity problem of some sort (involved the dial-up modem I was using at the time, as I recall). My point was that this was indeed the ISP's problem but they wouldn't even try to trouble-shoot it as long as they thought I was running a software firewall. Rather obviously, the Tech Support rep never checked (and I doubt that he really knew how to do so), since it would have been readily obvious that the firewall was still in place.

quote:
Does what your saying happen? Of course it does, ...

Agreed, and no ISP in its right mind is going to pick up this cost when the vendor and retailer -- the parties who've actually profited from selling the software firewall/NAT router to the end-user refuse to do so. I mean, let's be real about this -- the vendor/retailer has the revenue, but the ISP is supposed to assume the support expense? I don't think that's going to happen, not in my lifetime.

quote:
Not having customers use these protections likewise has a cost to IPs, _and_ to hundreds of thousands of other Internet support companies and users, as well.

Quite true -- as long as they use it properly -- and it's not the ISP's responsibility to see that they do so -- it's the responsibility of the vendor/retailer/purchaser.

quote:
. . . . If there actually is an overall additional cost of IP's supporting such reasonable and responsible protections such as NAT and FW, it will be passed on to be ultimately carried by users (since stockholders are never going allow even the infinitesimally slightly lower ROI this might involve, are they...).

I disagree. I would agree that the ISPs can obviously limit unsolicited inbound communications to subscriber ports that may be subject to vulnerabilities (and many do). I agree that ISPs can (to some extent) check for e-mail with malicious contents (and many do). But, to expect an ISP to check the contents of every HTTP packet sent to each subscriber on line 24/7 to ensure that there's no malicious scripts -- well, that's going off into never-never land. Hell, most end-users here are bitching about how this slows down their throughput if they do it on their own! Can you imagine the bandwidth that the ISP would need on their Internet gateway (and the processing power behind it) if they were to attempt to control this? (And that's the cheap solution!). And you want them to put a 100 additional, knowledgable tech support personnel online 24/7 to tell people how to solve these problems for probably a hundred different software firewalls/NAT routers? I'm sorry, I can't see that happening, nor being "cost-effective". (The subscribers would probably at that point move over to another cut-rate ISP with no protection whatsoever; neither they (not the rest of the world) would then be any better off.)
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9792142 Fri, 26 Mar 2004 18:26:18 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9792110 Supafly : I would recommend putting up the netgear fr114p with the latest firmware and see what happens, since it's has SOME form of certification (ICSA Residential Firewall Certification).]]> http://www.dslreports.com/forum/remark,9792110 Fri, 26 Mar 2004 18:22:58 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9792015 Link Logger : I don't allow IRC, or P2P, but some online games are played here without any problems.

Blake]]> http://www.dslreports.com/forum/remark,9792015 Fri, 26 Mar 2004 18:10:23 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9791661 anon : Got to agree - i've used a software firewall on a windows box for the last 12 months - never had any connectivety problems with it. I have to admit I do ran a packet monitor behind it - just in case....

But then again I don't run P2P, IRC Instant messaging etc

Ian]]> http://www.dslreports.com/forum/remark,9791661 Fri, 26 Mar 2004 17:31:47 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9791505 Link Logger : I always run a firewall and use a number of them considering I develop software for them (SonicWall, Zyxel, Netgear, Linksys, DLink, etc), and in over four years I've never had one cause a problem on my cable connection. I have had a couple of problems with my internet access (Shaw cable in Calgary is actually really good), but never once was the problem caused by my firewall. Now granted Linksys might be having a problem with some ISPs as mentioned in a very long thread in the Linksys forum, but no problems here.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9791505 Fri, 26 Mar 2004 17:14:10 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9791470 anon : The computer using Public are blissfully unaware of either the risks or potential damage an unprotected PC can do. Most are only interested in either hi-speed surfing or P2P sharing. Bottom up security has to be the way to go - but it should be lead by the ISP's providing DSL / Cable. IMHO they should as a part of their start up pack including at the minimum a NAT router or provide a pre-configured software firewall that installs with the modem software.

The average Joe does not think that his PC could either hold anything of any value to an intruder or indeed that viruses do anything more than interfere with the operation of their PC's.

I have first hand experience of people who should know better (IS management) who got were infected by various Internet Worms because they hadn't even taken basic security precautions. Ultimately the ISP's would derive benefit from this approach as it would make network management a simpler task

Ian]]> http://www.dslreports.com/forum/remark,9791470 Fri, 26 Mar 2004 17:11:19 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9791119 Bobby_Peru : [edit: Post in response to above post by Zulummar -anonymous- 65.202.123.x]

Tens of thousands (hundreds of thousands?) of people routinely utilize the protections you mention, including myself, and folks I know. On a personal level, as far as I know, no one that I know has had the problems as you describe.

Does what your saying happen, ever? Of course it does, at least as far as customer's use of Firewalls and NAT Routers having some impact on Customer/Tech Service costs to IPs from dealing with the protection's existence.

Not having customers use these protections likewise has a cost to IPs, _and_ to hundreds of thousands of other Internet support companies and users, as well.

Bigger brains than mine might prove or disprove this, but it seems clear that the overall cost to society of not having such protections in place is far greater than any increase in burden on IP's.

Perhaps with widespread usage, IP's could see an overall savings, when balancing increases for NAT/FW support with decreases from bandwidth waist, slow-downs, dealing with compromised systems, and the negative fallout from each and every plague.

Financial and personal data theft, theft, ID theft, DDoS ...... This moves beyond entertainment inconvenience and actually damages lives (and even potentially costs lives).

There are responsible business practices, and irresponsible business practices. In the current climate of increasing internet threats, IP's failing to actively promote the usage of such basic protections as NAT Routers and Software firewalls, seems to me to fall into the irresponsible and negligent omissions category, while actively seeking to have customers drop protections already in place (without adequate alternative protections) crosses the line into gross negligence.

If there actually is an _overall_ additional cost of IP's supporting such reasonable and responsible protections such as NAT and FW, it will be passed on to be ultimately carried by users (since stockholders are never going [to] allow even the infinitesimally slightly lower ROI this might involve, are they...).]]> http://www.dslreports.com/forum/remark,9791119 Fri, 26 Mar 2004 16:34:30 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9790376 anon :

quote:

How about first getting ISP's to stop bitching about NAT Routers and Firewalls, and to stop asking people to disable them, though I hope this is on the way out, by now!

never happen. Here's why. A lot of people are way too cheap to buy hardware firewalls, and use crap software ones like ZoneAlarm, or they don't know how to configure it properly, and it causes them problems.
Here's another problem. When I did Tier 2 technical support for @home, we had no end of people who had software filewalls, and would break their internet connectivity. It would work for months with no problems then suddenly they couldn't connect at all, even though no changes had been made to configuration.
simply disabling their firewall (zonealarm, norton internet security, any number of others) very rarely worked. however, in all cases, uninstalling the firewall and rebooting fixed the problem.

now, when this happens once every couple of months, and the customer is inaccurately thinking it's our fault and our service sucks, when in reality it's their firewall, what are we supposed to do? Take the blame because they don't want to listen to "it's your firewall" after they keep turning it on and it breaks, or tell them "here, to prove it's your firewall, leave it uninstalled and you'll see that the problem doesn't come back"??? Obviously, it's bad for business to take the hit for some lousy software company's poor coding skills, but then when we do what's necessary to protect our reputation from completely inaccurate abuse, we get bashed by the security community...

hmm, sounds like a lose/lose situation to me...]]> http://www.dslreports.com/forum/remark,9790376 Fri, 26 Mar 2004 15:08:10 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9790241 TheGiant : Very true I had a D-link 604 on my network and had 0 trouble for about 2 years. I just switched over to a Belkin wireless router. Default out of the box Port 80 is open. I finally called Belkin to see how to close it. Tech support said port 80 had to be open to surf the web. I just hung up the phone and port forwarded 80 to an ip not on my network.

I think the 604 is one of the best home NAT/Firewalls I have seen for under $100. Still NAT is just another level of security not the whole package.
--
Maddox has come Home!]]> http://www.dslreports.com/forum/remark,9790241 Fri, 26 Mar 2004 14:55:30 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9790093 anon :

quote:

At the same time, there are thousands of zombies out there -- and I get the impression they're not behind any sort of firewall. So why not integrate the devices (already been done) and issue those devices (or require them) as part of the service? That puts nearly everyone who gets new broadband service behind a NAT router, which (I'm thinking) should help reduce the zombie population.

The problem with this is many NAT router/firewalls on the consumer level are simply "not ready for primetime" in terms of an average user. Many of these products (read: linksys) have major bugs and lots of firmware updates that your average user does not have the competence (or is afraid) to perform. Not to mention the default configuration on these things is not in any manner the best configuration for most users.
Now, consider that ISPs are businesses and have to make a profit. If they force a nat router/firewall on a clueless user who can't configure it to make their favorite activity work (i.e. games, IM progs, etc), that user calls support, and support has to help them reconfigure it every time they need to. This increases overhead and reduces profit. The alternative is they refuse to help, anger the customer, lose the customer, and lose a large amount of money when all the clueless users leave them.

Now I'm not advocating that security be ignored, but there simply is no simple solution to the problem. Any "simple solution" is going to have extreme drawbacks that will make it impossible to implement from a practical standpoint.]]> http://www.dslreports.com/forum/remark,9790093 Fri, 26 Mar 2004 14:39:32 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9776102 Link Logger : It would appear that I'm still able to surf the net from that computer so its not DoS'ed, and no one has post the file or share directory so the elcheapo DLink remains undefeated if unchallenged.

Shall I switch the router to a Linksys SR41 v1 or Netgear FR114P or anything else, etc or is no one up to the challenge and I can turn that IP Address back over to development?

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9776102 Thu, 25 Mar 2004 06:20:26 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9764364 B :

said by TerryMiller :
From the brief discussions I've had with Blake he's not logging this router, that's why he posted earlier to see if any one was taking him up on the challenge.

Well see, that's a problem then. As noble and fair as Blake's "I'm not watching" stance may be, if he doesn't log ANYTHING, we have no way of knowing whether ANYONE even tried to get in! So we won't have much to really crow about later if nothing happens. ("Dood, you don't even know if I or my skilllzd buds tried to ownz ju or not. We could break that router right now if we tried.")

-- B

P.S. For the feds in the audience, I trust that my miserable and pathetic efforts at leetspeak will prove how clean my own hands are. :)
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9764364 Tue, 23 Mar 2004 23:20:35 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9764205 TerryMiller : From the brief discussions I've had with Blake he's not logging this router, that's why he posted earlier to see if any one was taking him up on the challenge. ]]> http://www.dslreports.com/forum/remark,9764205 Tue, 23 Mar 2004 23:04:36 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9763980 B :
Good point, Terry; these routers tend to hose themselves just fine from time to time anyway.

As to whether to switch routers yet, beats me. I'm not trying to hack it, and the only person who knows how many are trying is Blake, I suppose.

I only hope that there are at least a dozen distinct attackers trying to get in; otherwise this may be pointless. (On the other hand, it only takes one.)

I guess the simple answer is to give it a week or so, and/or see when the attacks start to drop significantly. Then switch routers.

Which reminds me... are you actually seeing more than the usual "Internet background radiation" -- are people really trying to compromise the system? (I certainly hope so.)

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9763980 Tue, 23 Mar 2004 22:48:33 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9763341 TerryMiller : So have we all conceded that without help that a $20 nat router is totally secure?

Should we implement some sort of regular internetwork access like a dyndns client to perform regular access to perform a man in the middle attack?

It seems a little odd to me as well that everyone has said that all clients behind a non SPI nat router are totally secure, unless they have some sort of phone home backdoor.

Even an attack that could disable the router would be rectified by a restart in most instances. A permanent DOS based on corruption of the router firmware is an accomplishment, a temporary memory based corruption is no worse than the manufacturers regularly put their customers through.]]> http://www.dslreports.com/forum/remark,9763341 Tue, 23 Mar 2004 21:53:34 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9758858 Kalford : Dear Blake,

Please Cut the cable from your modem to your router an email me the contents of I_won.txt. (but not in that order)

Thank you.

SINCERELY,

LAZY H4XOR.

:D:D:D:D
--
"I reverse my right to type siht the wrong way."]]> http://www.dslreports.com/forum/remark,9758858 Tue, 23 Mar 2004 14:45:34 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9758755 Link Logger : OK then how about we add NON BANDWIDTH DoS attacks to the contest. NOTE DO NOT ATTACK THE IP ADDRESS WITH A BANDWIDTH BASED DOS ATTACK as my ISP would be highly pissed as would I. So if you can bring down the router via a corruption based DoS then that is a winner as well (ie I can't surf out to somewhere on the internet).

So part 1 of the contest sounds like protection of devices behind the router are conceded to be secure? If so next time someone says they can hack through a cheap nat router tell them they are on drugs or to give me a call to prove it.

Do I need to switch routers yet?

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9758755 Tue, 23 Mar 2004 14:34:53 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9757373 qrkx :

said by B :

I believe qrkx is referring to ACL's of permitted IP address ranges and/or protocols.

That's correct. Network access control lists based on header parameters.
Thanks for clarifying that one.

rgds.]]> http://www.dslreports.com/forum/remark,9757373 Tue, 23 Mar 2004 12:02:45 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9757067 B :
Wrong kind of ACL's. There's usually little provision, if any, for true access control lists on the El Cheapo NAT routers.

I believe qrkx is referring to ACL's of permitted IP address ranges and/or protocols.

In any case, the default nature of almost all NAT SOHO routers is 'deny all' out of the box (well, not really, it's just that the inbound packets have nowhere to go since all internal addresses are private), so yeah the challenge is for those who pooh-pooh $20 NAT routers to prove that we have something to fear.

By the way, Blake, as I think I implied earlier, personally I'd consider the attack a success if it managed to disable or corrupt the router itself, not necessarily get to the file share on the computer inside. This could conceivably be the result of a DoS attack. (I mean disable in the sense that even AFTER the DoS had stopped, the router would be inoperable.)

But of course it's YOUR challenge and your terms...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9757067 Tue, 23 Mar 2004 11:26:36 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9756045 Randy Bell :

said by dg2 :
What are "acls"? I want to make sure my NAT box has them in place...Thanks.

I don't know for sure, w.r.t. the NAT box but .. I Googled and found this: »acl.bestbits.at/about.html

quote:
Access Control Lists

On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

Some applications require more control over permissions than this model offers. Access control lists implement a more fine-grained permission model: In addition to the file owner, the file group, and others, additional users and groups can be granted or denied access.

--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)]]> http://www.dslreports.com/forum/remark,9756045 Tue, 23 Mar 2004 09:10:57 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9755986 dg2 :

said by qrkx :
I see. If the NAT box has proper acls in place then no direct attack will succeed in that task. I won't even bother.(even if the firmware is buggy, it won't allow for such treat).
If the NAT box isn't acl-ed then the only hope is brute forcing admin access to it and forward the necessary ports to the LAN prize box.

What are "acls"? I want to make sure my NAT box has them in place...

Thanks.
--
Hey, where'd my stars go? I miss them both...]]> http://www.dslreports.com/forum/remark,9755986 Tue, 23 Mar 2004 09:01:07 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9753126 Link Logger : And I think that is precisely the point here, in that a $20 router is a heck of a deal for home security and can protect you from any hacker getting in. Stupid user tricks can crumble even the most expensive security setup going. Now relating this to bottom up security, if every home user had a $20 firewall then it would provide very good bang for the buck in terms of providing security for the home user. No door lock is going to stop everyone, but if they can stop most or a lot then they are a good deal.

Now perhaps I'm counting my chickens before they hatch, but time will tell.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9753126 Mon, 22 Mar 2004 22:28:55 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750888 qrkx :

said by TerryMiller :

Post the share name and the contents of the text file first and you win 5 tool points donated by me.
I was curious to see how secure a basic Nat box was.

I see. If the NAT box has proper acls in place then no direct attack will succeed in that task. I won't even bother.(even if the firmware is buggy, it won't allow for such treat).
If the NAT box isn't acl-ed then the only hope is brute forcing admin access to it and forward the necessary ports to the LAN prize box.

If there is help on the inside(e.g. LAN user browses to wrong site) - game over. And I guess that's what it all comes down to: no matter the $20 or $10k you spend on border control, it will always come down to controlling what the end-users run.

As for your question, a properly config-ed $20 NAT/pf box is the equivalent of a properly config-ed 10k NAT/pf box. (of course if we leave performance and flexibility aside -but that really isn't an issue with home/soho users)

rgds.]]> http://www.dslreports.com/forum/remark,9750888 Mon, 22 Mar 2004 19:15:38 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750786 qrkx :

said by Link Logger :

If you want to demonstrate executing code on the victim system then sure go for it as it would be just a step beyond reading the text file. I will be nuking and repaving this system afterwards anyways.

So, we have a NAT box with no acls in place? (sorry, I have never played with these boxes so I really don't know what they come equipped with). They must have a webadmin interface for config options but I doubt they would enable that on the WAN interface....Correct me if I'm wrong.

About executing code on the LAN workstations....what I had in mind was a typical reverse shell where the end user assists in giving the attacker that privilege.

All-in-all, I am trying to anticipate attack methodologies with thought experiments but I can also provide with a poc in the latter case.

rgds.]]> http://www.dslreports.com/forum/remark,9750786 Mon, 22 Mar 2004 19:06:59 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750705 TerryMiller : The contest is this:
Blake placed a text file named I_won.txt on a computer with an open share behind the Nat box. Currently a D-Link 604.

Post the share name and the contents of the text file first and you win 5 tool points donated by me.

Iwas curious to see how secure a basic Nat box was. I asked Blake, and he said pretty hard. So he voluteered to put up the box to see how hard it really was. I just volunteered a little incentive in addition to the bragging rights.]]> http://www.dslreports.com/forum/remark,9750705 Mon, 22 Mar 2004 18:59:05 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750677 Link Logger : Bandwidth DoS is not considered a successful attack as that is an attack on internet infrastructure and could be carried out against any site on the internet given you have enough water to burst the pipe. DoS in general here isn't the point as its getting past the router/firewall that is the point of the challenge.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9750677 Mon, 22 Mar 2004 18:56:35 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750634 Link Logger : DLink 604+ default configuration except the passwords have been changed. Behind the DLink is a computer with open shares. All you have to do is get past the DLink and read the file on the open share, post the contents of the text file and the name of the open share here. Really really simple.

The object is to see if its possible to hack past a $20 firewall/router. Lots of people think these units have limited security and are easy to hack so here is their chance to prove it.

If you want to demonstrate executing code on the victim system then sure go for it as it would be just a step beyond reading the text file. I will be nuking and repaving this system afterwards anyways.

I'll switch the router to a Linksys SR41 v1 and then a Netgear FR114P when asked and everyone is don't hacking on the existing router (ie we are working our way up in price).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9750634 Mon, 22 Mar 2004 18:53:41 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9750522 qrkx : What is the nature of the contest? Break the NAT box? Brute force to gain admin access to config service? Is the NAT box firewalled(e.g. packet filtering)- in which case the challenge is to demonstrate mis-configured acls rather than problems with NAT? Is the NAT box running up to date firmware? Is a bandwidth DoS considered a successful attack?

If gaining access to resources behind the NAT box is the challenge, are we simulating a real work environment with several workstations + a couple of dumb end users on the LAN(or one workstation + a dumb user)? Do we take into consideration dumb LAN users? Do we depart from the premise code gets executed on the LAN workstations(e.g. reverse shell)?

The "capture the flag" contest could get interesting/educational and if the right premises and possible conclusions are clearly set.

rgds.]]> http://www.dslreports.com/forum/remark,9750522 Mon, 22 Mar 2004 18:44:29 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9749617 B : Perhaps you could start a new thread; the potential attackers may have missed this challenge...

Of course, you could go all out and submit it for the front page too...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9749617 Mon, 22 Mar 2004 17:17:12 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9747522 Link Logger : So anyone trying to stomp the DLink?

Blake]]> http://www.dslreports.com/forum/remark,9747522 Mon, 22 Mar 2004 13:23:43 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9743275 B :

said by TerryMiller :
As I said earlier it's I_won.txt. Blake just added the share name. The contest hinges on the contents, and now the share name.

I know; I was kidding...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9743275 Sun, 21 Mar 2004 22:25:40 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9743241 TerryMiller : As I said earlier it's I_won.txt. Blake just added the share name. The contest hinges on the contents, and now the share name.]]> http://www.dslreports.com/forum/remark,9743241 Sun, 21 Mar 2004 22:21:31 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9743158 B :

said by Link Logger :

There is a file in a shared directory, first one to give me the name of the shared directory and the contents of the file wins.

How about the name of the file? 'Cause I've got a good guess.

:)

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9743158 Sun, 21 Mar 2004 22:12:01 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9743018 Link Logger : The cheapest router I have is currently online. DLink 604+ purchased for $69.96 CDN with a $40 rebate, so final price $19.95 CDN. I'll leave it up for a day and see if anyone objects, I'll switch it to a Linksys BEFSR41 v1 (ya its more then a couple of years old) tomorrow night, leave it up for a day and then put up the Netgear FR114P or whatever you wish.

There is a file in a shared directory, first one to give me the name of the shared directory and the contents of the file wins.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9743018 Sun, 21 Mar 2004 21:56:30 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9742977 Link Logger : DLink 604+ in default configuration. Let me know if you want me to switch to a different router/firewall.

IP Address 68.144.128.129 (pingable).

Shaw Calgary Account (cable).

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9742977 Sun, 21 Mar 2004 21:49:56 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9742941 B :
Since we're going for a "cheap and popular" proof, I'd start with the cheapest Linksys and then the cheapest NetGear you've got.

Note to the leet hackerz, this is not an attempt to trap you or steal your secrets (do it unannounced if you like); rather, this is your opportunity to prove to us that all of us must ph33r your skillz. (And that we can't get by with the El Cheapo Router.) We trust Blake, and if says he was compromised we'll believe it.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9742941 Sun, 21 Mar 2004 21:45:53 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9742785 Link Logger : What router/firewall would everyone like to start with or let me know when you would like me to switch routers/firewalls? I'm just setting up a DLink 604+ as the starting router and as soon as I'm done setting up I'll post an IP address. Just to make it easy I will put the target file in an open share directory.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9742785 Sun, 21 Mar 2004 21:27:08 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9742365 TerryMiller : I've talked to Blake and he's up for the challenge. I'll e-mail him and see how he wants to handle the ip address. ]]> http://www.dslreports.com/forum/remark,9742365 Sun, 21 Mar 2004 20:42:45 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9742340 B :
Two thoughts:

1. I don't think Blake posted an IP address, so this is an interesting challenge from the get-go. :)

2. Actually getting to that file would be quite an accomplishment. I'd be satisfied if the attacker merely stopped or modified the router, or even managed to put a packet out on the LAN side.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9742340 Sun, 21 Mar 2004 20:39:44 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9741537 TerryMiller : I just sent Blake a text file that he is putting on the computer behind the D-Link router. 5 tool points from me to the first person that can post the contents of the file.

The file name is I_won.txt.]]> http://www.dslreports.com/forum/remark,9741537 Sun, 21 Mar 2004 19:06:03 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9741165 Link Logger : I think I know a couple of people who would love to take that Symbiot product for a little test drive into hell ;)

Blake]]> http://www.dslreports.com/forum/remark,9741165 Sun, 21 Mar 2004 18:25:04 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9741055 B :
Okay sure, I guess that's very ethical of you, in a strange way.

Of course, if and when they are successful, our collective next question would be "BUT HOW"... I guess we'd cross that bridge then.

The only techniques I remember seeing mentioned were either DoS or some kind of ARP spoofing, but it doesn't seem likely; that's why I'm really interested in your experiment. I'd really love to be able to brag (with more certainty than I can now) that the el cheapo routers are "every bit as secure", at least in some contexts and for home user purposes, as their mondo-SPI and "application intelligence" brethren.

Thanks, Blake.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9741055 Sun, 21 Mar 2004 18:13:01 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740998 Link Logger : Since the purpose of this was to prove only that it is possible to 'hack' a cheap NAT router I wasn't logging what he was doing other then using the logging functionality within the DLink and all I saw was port scans.

The point of this isn't to expose how its done only that it can be done. Anyone who could do something like this isn't exactly interested in giving away their 'secret' of how to do it (if its possible at all), so I keep logging pretty minimal as how to do it isn't my intent here, only that its possible to do it.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9740998 Sun, 21 Mar 2004 18:06:50 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740675 jvmorris : :D :D Giant's probably using a beta release of the Symbiot product. :D :D
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9740675 Sun, 21 Mar 2004 17:29:18 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740549 B :
Wow, that D-Link must be SOME router -- it performed a reverse DoS or a Ping-O'-Death on the attacker and blew out his hardware!

:)

Any idea what kind of attacks he's trying?

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9740549 Sun, 21 Mar 2004 17:14:23 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740523 Link Logger : I put up a D-Link 604+ for Giant to go after I believe he ran into a hardware failure on his end and had to stop.

If anyone else is interested in taking a shot at it, I have a number of cheap NAT routers and firewalls that I could setup (DLink 604+, Linksys BEFSR41 v1, Linksys BEFSX41, Netgear FR114P, Netgear FVS318, Linksys WRV54G, Zyxel Zywall 10, Zywall 10W, SonicWall Soho 2, and hopefully this week a SonicWall TZ170 and a couple of others).

Blake
NOTE to hardware vendors, if you want me to build a version of Link Logger for your hardware then you have to send me the hardware, I'm not buying anymore (actually Netgear and Zyxel have been pretty good about this).
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9740523 Sun, 21 Mar 2004 17:10:44 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740372 B :

said by Link Logger :
I've asked before, does anyone here know how to whack even the cheapest of NAT routers available today?

said by TheGiant :

said by Link Logger :
I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu. So based on bang for the buck, NAT routers are not that bad, so please don't think I'm suggesting that you have to have the most expensive firewall on the planet to be reasonably safe.

Blake

Put it up. :) I agree its better than being wide open. Unless the user has a clue a $50 NAT box or A $5000 PIX makes little difference.

That challenge test. Unless I misunderstood, TheGiant was taking you up on your offer to show you that he or she can hack through or otherwise disturb your cheapo NAT router...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9740372 Sun, 21 Mar 2004 16:51:03 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9740323 Link Logger : uh could you give me/us a little more to go on then 'challenge test', what test and where? Are you talking Certification testing and if so who's certification tests?

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9740323 Sun, 21 Mar 2004 16:45:42 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9738868 B :
To Blake and TheGiant -- have you folks actually done your challenge test? Blake, what were the results?

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9738868 Sun, 21 Mar 2004 13:58:17 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9738861 B :
I haven't seen this suggested in a long time, but it's really the logical endpoint for the feeling that many of us, including me, now share -- that NAT routers should be standard equipment for home broadband users.

Why not have the ISP do the NAT filtering, and provide only a private IP address to the end users?

Now stop right there; I hate this idea as much as you do, but wouldn't it really help put a damper on port probing mischief? If a giant consumer pseudo-ISP like, oh, say, AOL, were to start NATting all its users, wouldn't that limit the propogation of worms? (Yes, the web and e-mail vectors would ensure the continued healthy life of the critters.)

This is the kind of non-existent ISP level NAT that SpeakFreely's Walker railed against (seemingly without any basis) when he quit the project, but surely it would protect consumer newbies more efficiently than bundling routers or trying in vain to convince folks to use 'em?

-- B

P.S. Again, I personally hate this idea; but it satisfies the requirements and might make for good discussion.
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9738861 Sun, 21 Mar 2004 13:56:49 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9732306 TerryMiller : I believe a lot of people don't run firewalls because they've tried application level software firewalls and get tired of the annoying popups saying this or that application wants to access the internet "Now what?". Combine that into a piece of hardware that they've never heard of before and it's less appealing than an evening with Nosferatu.

My daughter (maybe my wife in her stead) continually blamed the old Netgear SPI firewall for all sorts of inconveniences until I drove over to her apartment and went through all of her problems. She hasn't turned it off in over a year now and doesn't really seem to know it's there anymore.

Now with me continually posting LinkLogger alert traffic reports and Mcafee Webshield logs (selected days of course), I've had to install firewalls for almost every new broadband subscriber at work. (They found out the installation charge is only half a six-pack). I'm fairly certain that if I had really charged for my time none of them would have bothered. They get a free installation and I'm reasonably certain that they are not bringing anything unexpected into work. I guess the point of this paragraph is to say that education has a price.
We may be in a war, but the situation is not hopeless. The key to learning is repetition, 8x8 is 64, and internet access needs a firewall and antivirus.]]> http://www.dslreports.com/forum/remark,9732306 Sat, 20 Mar 2004 17:52:58 EDT Re: It's a BIG Bottom! http://www.dslreports.com/forum/remark,9731761 jvmorris : Lest we forget, there was apparently a US-CERT alert on PhatBot, which I don't recall seeing myself. Kinda makes ya wonder, doesn't it?

Okay at the moment the US-CERT alert on PhatBot can be found at »www.us-cert.gov/current/current_···ity.html .
--
Regards,
Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9731761 Sat, 20 Mar 2004 16:37:00 EDT Re: It's a BIG Bottom! http://www.dslreports.com/forum/remark,9731736 Link Logger : If I was a larger company and had the cash kicking around then I would certainly consider joining.

One thing I'm wondering about is however does this now mean that CERT becomes a tiered service provider (ie members get first access to CERT postings) as I thought CERT was a federally funded research and development center.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9731736 Sat, 20 Mar 2004 16:33:51 EDT Re: It's a BIG Bottom! http://www.dslreports.com/forum/remark,9731677 jvmorris : I finally got through it after many interruptions and thought it might be a useful reference for some small business people, in particular.

Now, Blake, I wouldn't do this for just anyone, but for you . . . Tellya what I'm gonna do! I'm gonna open up a Paypal account and you can make twelve easy monthly payments of only $420! Just include your bank account number, and . . . . :D :D

No, seriously, this is a legit organization, isn't it? And I believe those fees are for business memberships, rather than individual memberships.
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9731677 Sat, 20 Mar 2004 16:26:23 EDT Re: It's a BIG Bottom! http://www.dslreports.com/forum/remark,9731621 Link Logger : Great article and articles, great find!!

$5,000 a year to become a lowly Associate?? $25,000 to be a full member? $70,000 to become a sponser??? I'll keep my membership to this forum as I can't afford to join the Internet Security Alliance so I just stay here with the guys that tell them about whats going on. If I had that kind of money kicking around to join the Internet Security Alliance, I'd rather buy a new computer and some new development tools, but certainly if I was a bigger company then maybe, as it looks like a good start for helping security people make other people aware of the issues.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9731621 Sat, 20 Mar 2004 16:19:58 EDT It's a BIG Bottom! http://www.dslreports.com/forum/remark,9730086 jvmorris : Blake,

Well, I was just hacking away through the news items at the top of the forum and ran across the IS Alliance article (which can be found at »www.isalliance.org/resources/pap···_bus.pdf ).

Now, that's targeted toward small business owners, probably with little, if any IT staff (never mind security staff), but I see they've also got a paper for home users and another for 'higher-up' (but apparently non-technical) managers in larger organizations.

What I rather liked about the particular paper discussed above is the explicit treatment of costs (always a concern, even for the average home user) and the benefits (or cost-avoidance, if you prefer that term). Furthermore, I liked the use of the 'case history' method. In other words, rather than talking in terms of technical abstractions about what could happen, they talked about documented cases (and the consequences). All very non-technical, also.

When I've managed to get my hands on some data (from various sources), I've been struck repeatedly how much seems to come from IP addresses (talking non-spoofing instances here) that have no associated URL -- in other words most likely either individual/home users or very small businesses with no registered URL.

Sometimes, the 'assault' pattern is quite obviously linked to individual/home users by the times of day and days of week on which the intrusions become most prevalent. However, other times, it looks more like these very self-same small businesses, which (most likely) only have their computers connected (probably via an ISP) during normal business hours (in the part of the world in which they operate).

At any rate, I invite anyone who's interested to browse through this paper and would be interested in your reactions. I'm only about 25% of the way through it at the moment, so I'm not going to provide any definitive recommendation at this point.
--
Regards, Joseph V. Morris]]> http://www.dslreports.com/forum/remark,9730086 Sat, 20 Mar 2004 12:40:43 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9729075 jeisenberg :

said by CoxCable4 :
I r 1337 h4x0r - ub3r 1337 u|7r4 g05u h4x0r s0s0

Look! It's an al-queda coded attack signal! Scotty, take us to orange!]]> http://www.dslreports.com/forum/remark,9729075 Sat, 20 Mar 2004 10:20:10 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9729034 CoxCable4 : I r 1337 h4x0r - ub3r 1337 u|7r4 g05u h4x0r s0s0]]> http://www.dslreports.com/forum/remark,9729034 Sat, 20 Mar 2004 10:12:24 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9726103 Bubba :

said by Marilla :
more than half of people don't have the two most basic protections in place: firewalls and common sense.

That I feel is the up hill battle that has been spoken here on more than one occasion in the 2 plus years I have been here. If I had to guess a figure.... I would say there are 3/4 or more less knowledgeable folks on the Internet. The only thing I can do as a Security\Privacy minded user is to preach\teach to any and all family members and friends\co-workers of how nasty it is surfing Gore's Internet unless you have protection. ]]> http://www.dslreports.com/forum/remark,9726103 Fri, 19 Mar 2004 20:29:08 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9725674 keith2468 : Man in the middle attacks are not something common. They require major risk and effort in carrying them out. They are something for high value targets to worry about.

For the rest of us:

1. I agree with the suggestion that ISPs should provide NAT like firewall protection for their retail customers at least.

This can be modems that include an NAT like function, or it can be further upstream. (Hughes provides this kind of protection, with many of its customers being on non-routable 10.xxx.xxx.xxx IPs.)

2. We need more IT professionals in management ranks.

Too many IT quality decisions are made by sales and marketing people, or users with no in-depth knowledge of the consequences of their decisions.

Sales and accounting types don't understand that re-writing code that works, say to remove undiscovered buffer overflow exploits, is important.

They don't understand the need for continuing education.

They don't understand that some professionals write better more maintainable code than others. Instead they see us as an interchangable commodity.

3. This said, IT professionals need to learn how to understand user problems better.

Not everyone has the time or the inclination to learn about complex configuration and maintenance actvities.

Running and maintaining a secure computer should be as easy as running and maintaining a car.

The defaults should be safe.

We should write general use software with novice users in mind -- if that is who we are selling to.

4. Internet standards have to start requiring ISPs to provide anti-virus email filtering, although customers should have the option to turn it off.

If an ISP doesn't want to cooperate, fine. They can offer insecure services but no longer be connected to the public Internet.

Internet security is a public health type issue. The class or person or organization spending the money may not be the one reaping most of the benefit, which is why we need enforced standards.

5. Governments need to create and enforce resonable anti-cracking laws.

Put a few of those who openly distibute viruses, trojans, and *detailed* how-tos in jail for a couple of months, or even weeks, and there will be a major reduction in the amount of virus traffic.]]> http://www.dslreports.com/forum/remark,9725674 Fri, 19 Mar 2004 19:46:31 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9724766 Marilla :

said by Veneficus7 :
Do you think you are safe behind your firewall and NAT devices? They provide no protection for man-in-the-middle attacks or encrypted traffic.

Yeah... Gotta watch those man-in-the-middle attacks... you know, all those Swen, SoBig, SQL Slammer, MS Blaster, MyDoom, Code Red, etc etc etc etc... oh, wait.. none of those used packet sniffing... they all relied on the absence of properly configured firewalls, or the absence of properly configured users... Strange how we don't see lots of reports of Internet-crippling attacks using difficult-to-implement attacks that require physical locations, knowledge and ability in the TCP/IP stack itself, and respectable computing power... No; seems most of this stuff is really pretty simple; Find a hole, and plug at it.

If 1/2 of the cars in the world were left unlocked, with the keys in the ignition, car thieves wouldn't need to know how to break in or hotwire cars; That's how the Internet is now.. more than half of people don't have the two most basic protections in place: firewalls and common sense.
--
Windows, Mac, Linux, BSD - just use the right tool for the right job... end the OS Politics!]]> http://www.dslreports.com/forum/remark,9724766 Fri, 19 Mar 2004 18:04:50 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9724744 Link Logger : What does provide protection for a man in the middle attack? Currently physical security of the network is an ISP issue and in fact since B&E/vandalism are easier to prosecute, this would be an example of deterrents somewhat working.

I would agree with you concerning ISPs as I can't figure out why Shaw (my ISP) doesn't do exactly what I'm doing so they can find and cleanup or otherwise shutdown infected systems on their network. Run a firewall with logging and see what systems on their network are scanning out, how difficult can that be? I'm sure they have systems which are running firewalls (ie their servers), so why not just add logging to them?

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9724744 Fri, 19 Mar 2004 18:01:30 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9724650 Link Logger :

said by Bobby_Peru :
How about first getting ISP's to stop bitching about NAT Routers and Firewalls, and to stop asking people to disable them, though I hope this is on the way out, by now!

I would agree with this 100%. If an ISP asks you to drop your firewall and then you become infected because of it, you should be able to bill your ISP for the clean up of your system. Now if an ISP could guarantee that while my firewall was down for running of their diagnostics that no other traffic could hit my system then fine, otherwise I'm not dropping squat for them. Right now we are tracking about a 100 scans/attacks per hour, so that works out to about 1 every 45 seconds or so. Dropping your firewall for even a moment anymore could be bad and your ISP should know that.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9724650 Fri, 19 Mar 2004 17:51:50 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9723914 Veneficus7 : Do you think you are safe behind your firewall and NAT devices? They provide no protection for man-in-the-middle attacks or encrypted traffic. You are only safe if you grab your computer, unplug all the cables, pour concrete on it and burry it.

I think ISP's have to be proactive not only providing more secure modem/router devices but also closely monitoring the traffic and providing honeypot devices. But again why would they spend more money to save your tax return or your honeymoon pictures?

Asking for some level of bottom-up approach is not unrealistic but again not everybody lock their car doors...]]> http://www.dslreports.com/forum/remark,9723914 Fri, 19 Mar 2004 16:39:16 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9723728 Bobby_Peru :

said by Link Logger :
.... How much of a burden should the rest of society carry for people who become infected because of poor security practices?

Good question Blake, but, while your OP was dealing with "Bottom Up" (ouch) security, it better be a fact that the set of folks with certain knowledge of the risks and certain ability to most easily mitigate (not eliminate) at least some of the many damage "vectors" is that of the Vendors. So, also, how much of a burden should the rest of society carry for companies that have sold, and continue to sell o/'s and applications that almost facilitate infection infestations because of poor security implementations, out-of-the-box configurations, and their abysmal user education programs? Not disagreeing with you...

quote:
Should credit card company base the limit to how much you are personally liable for fraud on if you have a firewall and AV for example? Non smokers get a break on insurance for example, perhaps its time for a break for people who practice safe hex.

The administrative side of this might be a deterrent, but yes, some economic incentive would certainly help, and could be instituted way before governmental "incentives". I believe that if you leave the keys in your car's ignition, and your car is stolen, the normal intervening 3ed party criminal liability shields may not apply. Society makes a judgement that the convenience to the driver of being able to jump in the car and turn the key with-out first remembering to bring the key along, and then to insert it in the ignition, is outweighed by the risk this posses to others (in the key being present in the ignition in unattended cars), and so attempts to reduce such unwanted "risky" behavior.

quote:
ISP's could charge a higher rate for those users without firewalls so they can hire more support and security personal perhaps...

How about first getting ISP's to stop bitching about NAT Routers and Firewalls, and to stop asking people to disable them, though I hope this is on the way out, by now! Do they still see supporting these protections as "costing" them more than the cost reduction they yield? What if they "partner" with the major inexpensive NAT router manufacturers, and offer bigger savings on Routers, coupled with a small "rebate" monthly service price-reduction to make the Router "Free" if the customer stays with the service for 6 or so months. Like you say, there are lots of options!]]> http://www.dslreports.com/forum/remark,9723728 Fri, 19 Mar 2004 16:21:24 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9723195 TheGiant :

said by Link Logger :
I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu. So based on bang for the buck, NAT routers are not that bad, so please don't think I'm suggesting that you have to have the most expensive firewall on the planet to be reasonably safe.

Blake

Put it up. :) I agree its better than being wide open. Unless the user has a clue a $50 NAT box or A $5000 PIX makes little difference.
--
Maddox has come Home!]]> http://www.dslreports.com/forum/remark,9723195 Fri, 19 Mar 2004 15:31:38 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9722745 Link Logger : Concerning P2P networks, they are an entirely different security problem (we don't allow any P2P here for all the obvious reasons). We all know that people like stuff for free (I guess you should enjoy it while it lasts as they are removing motivation for a number of industries and I'm not just talking about the music industry), problem is so do hackers and so P2P networks have become common infection vector for malicious code.

So if you download a copyrighted program that is infected off a P2P network, do you have a right to complain, whine or otherwise snivel about becoming infected yourself or when your ISP takes you offline for scanning/infecting other systems?

How much of a burden should the rest of society carry for people who become infected because of poor security practices? Should credit card company base the limit to how much you are personally liable for fraud on if you have a firewall and AV for example? Non smokers get a break on insurance for example, perhaps its time for a break for people who practice safe hex. ISP's could charge a higher rate for those users without firewalls so they can hire more support and security personal perhaps, or charge more for people using higher risk services like P2P networks? There are lots of options here.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9722745 Fri, 19 Mar 2004 14:46:16 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9722155 B :
Well, yeah, dg2, except for what I said earlier:

quote:

Well, yeah, IF they continue to allow the users fine-grained control of that built in NAT service. Otherwise, if they were to start locking that NAT in place, it's a slippery slope towards a "Port 25 and Port 80/443 Outbound Only" world.

I guess I say "well, yeah" a lot. On a less alarmist note, it's also not the greatest "standard" deployment because the NAT immediately keeps people from using many P2P networks which, like it or not, is a major reason people are buying broadband to begin with. Not to mention videoconferencing, VOIP, personal web pages, etc. Poking holes in a NAT router's not as easy as answering "Yes" to a ZoneAlarm prompt (not today anyway), so people would likely "DMZ" themselves right back into the wide open pickle they started in...

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9722155 Fri, 19 Mar 2004 13:43:25 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9722112 dg2 : Which is why the idea came to me:

Most of us are sitting behind some sort of firewall. In all likelihood, 50% or so of us are sitting behind a NAT router, which we purchased so we can hook multiple machines up to our broadband modem.

At the same time, there are thousands of zombies out there -- and I get the impression they're not behind any sort of firewall. So why not integrate the devices (already been done) and issue those devices (or require them) as part of the service? That puts nearly everyone who gets new broadband service behind a NAT router, which (I'm thinking) should help reduce the zombie population.

Once the device is installed, the "protection" is already in place, and requires little to no thought every time the user sits down at the machine.

Of course this is only one layer, and more are needed or helpful, but wouldn't it be better if everyone were behind at least one layer of protection?

Good discussion going here. Let's keep it up.]]> http://www.dslreports.com/forum/remark,9722112 Fri, 19 Mar 2004 13:38:58 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9722050 anon : Unfortunately, I suspect that the biggest problem comes from the teen-college student age range. There are more of them online, and this is, by nature, a bulletproof age. You can preach until you're blue in the face, but God's truth ... the majority aren't equipped by nature to listen. If you can't get them to use condoms consistently in the face of HIV, Hepatitis, and pregnancy, do you really think you'll have success with preaching safe surfing?

Naturally, that doesn't excuse irresponsibility, nor does it mean that attempts at educating computer owners should be abandoned . But I think that pressure really needs to be put onto software companies and computer manufacturers to make this stuff come out of the box more secure. Most of the features that comprise the widest-open holes aren't used by the majority of casual surfers anyway. You go to websites like Symantec for help, and get really "helpful" advice like "shut down unneeded services." Great! What services do I need, and how the heck does one find and shut them down? I like to think that I'm slightly more saavy than the average owner, but the complexities are downright overwhelming.]]> http://www.dslreports.com/forum/remark,9722050 Fri, 19 Mar 2004 13:32:24 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721589 jansson_mark :

said by anthrorules :
I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others.

Information about viruses or other computer security stuff is in the news almost every week. Its there. Most people just dont care. Its like there are reminders about terrible road accidents in the news all the time and still some people drive very fast in bad weather, drink while driving, etc. etc.

quote:
Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.

Thats pretty much as holding gun manufacturers responsible for killing that are done using guns.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.]]> http://www.dslreports.com/forum/remark,9721589 Fri, 19 Mar 2004 12:40:27 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721579 Bobby_Peru :

said by jansson_mark :
For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.

said by anthrorules :

I think that "intention" needs to be added into the mix. I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others. Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.

Seems like both these thoughts are correct. While it is true that ignorance is a huge problem, there must come a point past which such a lack of knowledge of even the most basic and simple facts that are all readily ascertainable (unless one is purposefully avoiding such information), a user (citizen, [edit: corporate official, corporation] elected and non-elected governmental official, armed force member, media....) is held accountable for damages resulting from his/her acts/omissions just as if they did "know better", regardless of their actual state of knowledge or intent, under the theory that to act else-wise is simply so irresponsible, and grossly recklessly endangers others, as to either imply "knowledge" and "intent", or to deem the act or omission itself a violation and not require actual "knowledge" or "intent" (intent only to go online).]]> http://www.dslreports.com/forum/remark,9721579 Fri, 19 Mar 2004 12:39:13 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721380 B :
Except that most people, possibly including me, expect us IT geek priests to handle the "security thing", making it as transparent as possible.

Our gripes notwithstanding, I really don't see that attitude changing any time soon...

It's not exactly the same as teaching safe driving -- there are only so many ways a truck can "come out of nowhere". By contrast, Internet threats are ALWAYS evolving into new forms.

It's more like asking that everyone be trained in basic CDC pathogen identification and prevention. Not a bad idea, come to think of it. :) But it's not gonna happen. I'm not sure it should.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9721380 Fri, 19 Mar 2004 12:20:23 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721341 anthrorules : Computer Science is already taught in the Elementary through High School level in the United States, not wide-spread, but there are quite a few school districts that do integrate computer technology in the classroom, not only as a peripheral teaching tool, but as another skill learning process. However, I don't know of any school district that explicitly teaches "computer security" or "internet security".

I agree that Internet security needs to start early, and not only the use in filtering technologies, which doesn't really instruct young minds about safe computing methods and practices.
--
Earthlink/Direcway SRS - DW4000 | ver. 4.2.1.10 | Proxy/Port 83 | G4R | 970 | Dell Dimension 4550 - WinXP Pro SP1 - 768MB Ram |ZA+ 4.5 | AVG 7.0 - Resident | Bit Defender 7.1 Free - On-Demand |TDS-3 | Ad-Aware | SpyBot S&D | MailWasher Pro]]> http://www.dslreports.com/forum/remark,9721341 Fri, 19 Mar 2004 12:15:40 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721197 gkweb : Great post :)

As you said, communication is the key.
Personally i would imagine that Computer sciences and Security could be learned at school, like languages or maths, i think that to learn early to young users how to secure them would be a great improvment in global Internet security.]]> http://www.dslreports.com/forum/remark,9721197 Fri, 19 Mar 2004 12:00:12 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721102 anthrorules : For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.

I think that "intention" needs to be added into the mix. I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others. Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.
--
Earthlink/Direcway SRS - DW4000 | ver. 4.2.1.10 | Proxy/Port 83 | G4R | 970 | Dell Dimension 4550 - WinXP Pro SP1 - 768MB Ram |ZA+ 4.5 | AVG 7.0 - Resident | Bit Defender 7.1 Free - On-Demand |TDS-3 | Ad-Aware | SpyBot S&D | MailWasher Pro]]> http://www.dslreports.com/forum/remark,9721102 Fri, 19 Mar 2004 11:48:31 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721078 B :
Except that the necessary political structures required to police the licensing of Internet users are exactly those structures that would have inhibited the growth of the Internet, not to mention most of your security hobby!

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9721078 Fri, 19 Mar 2004 11:45:41 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9721014 jansson_mark : As I have sayed before, people who cause trouble to other people should be made pay for it. If someones computer gets infected with trojan that spams me, well... If that person would have to pay me, he would have some motivation to LEARN about computer security and do something about it. Ofcourse, they cant ever be 100% safe, but come on... As long as people who create havoc to the net dont have to pay, they dont care. Its as simple as that.

Nobody thinks that people who dont know how to drive should drive car, because they can and will damage other people and cause problems. Everybody can agree, that if they do it anyway, atleast they should pay for the damages they cause.

For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.]]> http://www.dslreports.com/forum/remark,9721014 Fri, 19 Mar 2004 11:38:45 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720919 antiserious :

said by dg2 :
When we signed up for DSL at the office, we had an option of receiving a DSL modem or a combined DSL modem/router. Similar devices exist for Cable.

If we're having all these problems with people who aren't behind a firewall (in this case a NAT router), why not require them to take the combination modem/router? The idea is this -- when you sign up, the ISP asks "Do you currently have a router?" If no, then they automatically get the combo unit. If yes, and the ISP can be satisfied with it, they get the modem only.

I know there are details which would have to be worked out, but why wouldn't this help?

... Verizon offers the Westell 2000 in some areas, which has simple firewall capabilities, but they don't recommend using that feature, nor do they support it ... they also told me Westell doesn't 'support' it either (as if I could get through to westell to ask) ... so that diminishes its effectiveness ... I activated it anyway (simple 'low' setting, no rules), and ZoneAlarm Pro went silent - which is lovely - but I'm having some small issues and there's nobody available to help ... so a good idea, poorly formed ... as Verizon tech support said to me, they can only work with their network, and even though THEY supplied this equipment they don't feel this is under their support umbrella ...

.... while your idea has merit, as does Link Logger's, where would the support come from? ... I'm trying to learn as much as I can, but I'm reluctant to muck around with the equipment and settings (and I LOVE to muck around) with no backup ...

... f w i w ...

--
... "I don't wanna go Uptown, baby ... all the friends I got are Downtown anyway" ... william topley]]> http://www.dslreports.com/forum/remark,9720919 Fri, 19 Mar 2004 11:27:49 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720830 B :
Well, yeah, IF they continue to allow the users fine-grained control of that built in NAT service. Otherwise, if they were to start locking that NAT in place, it's a slippery slope towards a "Port 25 and Port 80/443 Outbound Only" world.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9720830 Fri, 19 Mar 2004 11:17:14 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720788 Link Logger : I have wondered this myself as to why can't I have one unit that combines my cable modem and router/firewall it only makes sense and certainly reduces the amount of cabling and such (network cable from modem to firewall and one power cable as well, likely save a bit on the power bill as well). I know some ISPs are moving in this direction, but the more the better.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9720788 Fri, 19 Mar 2004 11:13:11 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720762 B :

said by Link Logger :
Sure, people talk tough, but as I've asked before, does anyone here know how to whack even the cheapest of NAT routers available today? I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu.

Yes! Thanks for talking straight, Blake, against a a sea of leet hacker FUD.

Vive le cheapo NAT router! It does the job.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,9720762 Fri, 19 Mar 2004 11:09:25 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720695 Link Logger : Sorry my bad, I should have mentioned that I'm including NAT routers in my definition of a firewall (ya I know its not really a firewall, but it functions like one for inbound traffic at least). They might not be as good, but they still stop script kiddies cold as well as most hackers. Sure, people talk tough, but as I've asked before, does anyone here know how to whack even the cheapest of NAT routers available today? I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu. So based on bang for the buck, NAT routers are not that bad, so please don't think I'm suggesting that you have to have the most expensive firewall on the planet to be reasonably safe.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9720695 Fri, 19 Mar 2004 11:01:58 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720650 dadkins : "(before any of you Mac, Linux or open source guys figure your vendor/solution is the holy grail of security read US-Cert's summary of security items from March 3 to March 16th for example as it appears you have security problems just like everyone else so there is no need to get into a p*ssing match over open source, vendors etc as it appears we are all in the same boat here)"

;)]]> http://www.dslreports.com/forum/remark,9720650 Fri, 19 Mar 2004 10:56:50 EDT Re: Bottom up security http://www.dslreports.com/forum/remark,9720618 dg2 : I agree with your premise, but would like to pitch in the following thought (previously posted in the Cox HSI forum, but seems relevant here.)

When we signed up for DSL at the office, we had an option of receiving a DSL modem or a combined DSL modem/router. Similar devices exist for Cable.

If we're having all these problems with people who aren't behind a firewall (in this case a NAT router), why not require them to take the combination modem/router? The idea is this -- when you sign up, the ISP asks "Do you currently have a router?" If no, then they automatically get the combo unit. If yes, and the ISP can be satisfied with it, they get the modem only.

I know there are details which would have to be worked out, but why wouldn't this help?]]> http://www.dslreports.com/forum/remark,9720618 Fri, 19 Mar 2004 10:52:56 EDT Bottom up security http://www.dslreports.com/forum/remark,9720559 Link Logger : Fact, it is impossible to totally secure the internet. OS manufacturers, software companies, ISP, etc can only do so much to secure the internet (before any of you Mac, Linux or open source guys figure your vendor/solution is the holy grail of security read US-Cert's summary of security items from March 3 to March 16th for example as it appears you have security problems just like everyone else so there is no need to get into a p*ssing match over open source, vendors etc as it appears we are all in the same boat here), so a top down approach to securing the internet is only going to get so far, and that is a reality that we have to deal with.

So the question is how to make up on this gap in internet security? Well as we have been saying here for years, users have to be responsible for at least some of their own security, bottom up security. This is similar to security for your physical home. It is impossible to put police on every doorstep to ensure the security of your home (top down) so you as a responsible home owner put locks on your doors, and ensure your windows are secure etc (bottom up). Users on the internet just have to accept that some security is their responsibility and start using AntiVirus, firewalls and safe hex (when you go to work, do you leave the doors open at home). Now granted even with some bottom up security the internet will never be totally secure just as your home is never totally secure, but there will come a point, as there has with home security, that a balance occurs between costs and risks and that will happen on the internet as well, but right now I don't think that balance exists now. Worse, I don't think most people understand how out of balance internet security is.

Of course the problem here is I'm preaching to the choir, but somehow we need to be to communicate to others that internet security is a problem, but there are some easy solutions that provide reasonable security at a reasonable. This has been one of my goals for reporting and showing attacks here as I hope that it helps people to understand that attacks are real and that they are seeing them too if they bothered to take a look at their traffic or logs (communication is key to the solution). Being an intrusion sort of guy (meaning I tend not to report on email attacks, as those are AV and user education problems and are fixable and there are people here who cover those better then I could), every attack I've reported here would have been defeated with the proper use of a firewall. Fact, script kiddies don't know how to get past firewalls, most hackers know they can't get past firewalls, so why not run a firewall?

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,9720559 Fri, 19 Mar 2004 10:47:24 EDT