 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to DixieWins
Re: firewall protection and Linksys router
It's always a good idea to have a software firewall as a back up. NAT can be broken into. It also offers no protection at all for outbound attempts such as spyware or Trojans trying to call out, etc...something as simple as ZA on each station can go a long way in keeping you secure. |
|
|
Thanks for your info. If I use ZA, are there any compatibility issues I should know about with Linksys and ZA ? I have no experience with ZA and that type of software and am still learning more about this router everyday.
I had dsl service for 3 weeks before I could access it - series of faulty Linksys routers / cable problems / phone co problems. It works now and I don't want it blowing up in my face, but the safety issues do concern me.
many thanks !
|
|
 ergibbsTo Be FreePremium,ExMod 2001-05
join:2001-03-07
on the ocean
kudos:1 | ZA will integrate just fine - it's software that runs off the target machine and waits for the traffic to try and pass through it. It doesn't know who LinkSys is, or what it does for a living. 
--
Having children is like being pecked to death by a duck. |
|
Nick8Premium
join:2001-03-17
UK | reply to Wildcatboy
said by Wildcatboy:
NAT can be broken into
WCB. I have been looking into this for a while and so far have found no (useful) way to break NAT. I was fairly convinced that it's actually impossible (presuming a dynamic table with no static mappings). If you know of a way to penetrate it please tell me!! |
|
|
|
ergibbsTo Be FreePremium,ExMod 2001-05
join:2001-03-07
on the ocean
kudos:1 | said by mbcx8nlp:
If you know of a way to penetrate it please tell me!!
I can't tell you how to do it, but this article describes how it can be done.
--
Having children is like being pecked to death by a duck. |
|
Nick8Premium
join:2001-03-17
UK
| The article addresses general security issues and why you cannot rely solely upon NAT. The reasons stated are why I run Tiny behind it . However, it does not provide a mechanism to penetrate NAT (by penetrate I mean get packets past it that do not have an entry in the table - unrequested packets). The security risks are that of hostile code (of course outbound connections are not controlled) and abuse of an internally initiated connection to a hostile site (even a full stateful firewall can't protect against this - more an issue of browser security and surfing habits). I am not so sure that packets with spoofed local source IPs would get forwaded past NAT. The packets would not have an entry in the table and would therefore be blocked. The rest of the concerns are with forwaded ports, which by definition, are not protected by NAT.
I am not saying that NAT is an all-in-one security solution, but I am fairly convinced that NAT cannot be "broken into". The one mechanism I have thought of is similar to the hostile site situation, one could inject packets of spoofed source address into a internally initiated connection. Obviously, the injector would have to be on the route between you and the destination. AFAIK the worst case results would be crashing of the client application or possibly the computer. The attacker would really have to be at the destination site (most routers aren't too nasty ). Also the connection would have to be relatively long-lived (a download or something). As such, I think this is extremely unlikely and of little consequence anyway - just a theoretical way to get unrequested packets past NAT.
[text was edited by author 2001-06-13 12:12:33] |
|
 PinanPremium,ExMod 2000-03
join:2000-09-02
Murrieta, CA
kudos:1 | reply to DixieWins
I use both (Linksys & ZA) with no problems, and a stealth rating.:) |
|
