Although I use only one computer. I would like to add a router for the
firewall protection.

Any specific suggestions?

Thanks for the help.

Tom In Maine wrote:

> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?


Yes: reconsider this stupid idea

"Tom In Maine" wrote in message
news:sltho35gbdvfs3irt8n53hflf44ebhese9 [at] 4ax.com...
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
>
> Thanks for the help.

Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
you get one that meets the specs in the link for *What does a FW do.

Netgear makes an ICSA FW router, that will meet the specs.

http://www.vicomsoft.com/knowledge/reference/firewalls1.html

In article <sltho35gbdvfs3irt8n53hflf44ebhese9 [at] 4ax.com>, <Tom In Maine> wrote:
>Although I use only one computer. I would like to add a router for the
>firewall protection.
>
>Any specific suggestions?
>
>Thanks for the help.

I agree.

Any home broadband gateway that you can get on ebay or in the
dumpster will work.

Tom In Maine wrote:
> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
..
..
I'll try to be a little more helpful than Sebastian.

If you are just using this computer for normal home use (I.E, no Top
Secret nuclear weapons documents, etc...), most of the routers you'll
find at Best Buy will be fine. If you don't have a laptop (and don't
plan on getting one soon), don't get a wireless router.

This will HELP protect you from 95% of the random internet trash out
there, like port scanners.

If a LIVE person really decides they want to break into your network,
a router won't be too tough to get through. You will still need to
practice good security on your PC. For example, don't store sensitive
iformation like account numbers or social security numbers on your hard
drive. Archive them to a CD-ROM. Don't make a list of all your
passwords to all the websites you go to and save it on your computer...
print it out, or archive it to a CD-ROM.

Sebastian will probably tell you that all you need to do is turn on
Windows Firewall. You should do this, too, but adding a router between
you and the Wild adds another layer of protection.

Its like your car. If you lock the doors, most thieves will move on
to a car that ISN'T locked.

On Sat, 12 Jan 2008 18:54:18 +0100, "Sebastian G." <seppi [at] seppig.de>
wrote:

>Tom In Maine wrote:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
>
>Yes: reconsider this stupid idea

Thanks for your help. You can now put your head up your arse again.

On Sat, 12 Jan 2008 13:33:08 -0500, "Mr. Arnold" <MR.
Arnold [at] Arnold.com> wrote:

>
>"Tom In Maine" wrote in message
>news:sltho35gbdvfs3irt8n53hflf44ebhese9 [at] 4ax.com...
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>>
>> Thanks for the help.
>
>Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
>you get one that meets the specs in the link for *What does a FW do.
>
>Netgear makes an ICSA FW router, that will meet the specs.
>
>http://www.vicomsoft.com/knowledge/reference/firewalls1.htm l

Thanks that was a very informative link.

On Sat, 12 Jan 2008 13:10:55 -0600, "Ryan P."
<rpaque [at] delete.this.part.wi.rr.com> wrote:

>Tom In Maine wrote:
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>.
>.
> I'll try to be a little more helpful than Sebastian.
>
> If you are just using this computer for normal home use (I.E, no Top
>Secret nuclear weapons documents, etc...), most of the routers you'll
>find at Best Buy will be fine. If you don't have a laptop (and don't
>plan on getting one soon), don't get a wireless router.

It will definitely be NOT wireless.
>
> This will HELP protect you from 95% of the random internet trash out
>there, like port scanners.
>
> If a LIVE person really decides they want to break into your network,
>a router won't be too tough to get through. You will still need to
>practice good security on your PC. For example, don't store sensitive
>iformation like account numbers or social security numbers on your hard
>drive. Archive them to a CD-ROM. Don't make a list of all your
>passwords to all the websites you go to and save it on your computer...
>print it out, or archive it to a CD-ROM.

All reasonable things that I do now. Thanks for enumerating them.

> Sebastian will probably tell you that all you need to do is turn on
>Windows Firewall. You should do this, too, but adding a router between
>you and the Wild adds another layer of protection.

I just ignored him.

> Its like your car. If you lock the doors, most thieves will move on
>to a car that ISN'T locked.

Excellent points.

Thank you very much.

In article <fa5io31lff29nnu3v1tlb1m4duv6dl7fh1 [at] 4ax.com>, <Tom In Maine> wrote:
>On Sat, 12 Jan 2008 13:33:08 -0500, "Mr. Arnold" <MR.
>Arnold [at] Arnold.com> wrote:
>
>>
>>"Tom In Maine" wrote in message
>>news:sltho35gbdvfs3irt8n53hflf44ebhese9 [at] 4ax.com...
>>> Although I use only one computer. I would like to add a router for the
>>> firewall protection.
>>>
>>> Any specific suggestions?
>>>
>>> Thanks for the help.
>>
>>Linksys, Netgear, or D-link -- a FW-router, and whatever you get make sure
>>you get one that meets the specs in the link for *What does a FW do.
>>
>>Netgear makes an ICSA FW router, that will meet the specs.
>>
>>http://www.vicomsoft.com/knowledge/reference/firewalls1.ht ml
>
>Thanks that was a very informative link.
>


Unless you run servers or do something else that is beyond the average
user's activity, you don't need any more of a firewall than NAT
translation gives you and every home router with more than one local
LAN jack gives you that.


Find someone that's gotten a WiFi router and has a wire-only router on
the shelf, somewhere.

Ryan P. wrote:


> If you are just using this computer for normal home use (I.E, no Top
> Secret nuclear weapons documents, etc...), most of the routers you'll
> find at Best Buy will be fine.


What about no router and no firewalling at all? Such things are utterly
pointless for normal home use, hence he should save his money and optionally
invest it in something he really needs or wants.

> This will HELP protect you from 95% of the random internet trash out
> there, like port scanners.


Who cares, as long as the rest 5% get through and will cause trouble?

> Sebastian will probably tell you that all you need to do is turn on
> Windows Firewall. You should do this, too, but adding a router between
> you and the Wild adds another layer of protection.


The router adds exactly zero protection.

> Its like your car. If you lock the doors, most thieves will move on
> to a car that ISN'T locked.


Except that a router doesn't add any security.

> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?
>
> Thanks for the help.

I'm using a Netgear WGR 614. Along with NAT it offers SPI (stateful packet
inspection), and the option turn off response to ping and UPnP. It does
support wireless, however the radio can be turned off if you don't need it.
If/when you do you can enable WPA2 encryption. This router only costs $39.
This is so affordable that I don't see the point of using a previous
generation router without the more advanced firewall options. JMHO of
course.

Am Sat, 12 Jan 2008 21:34:29 +0100 schrieb Sebastian G.:


> The router adds exactly zero protection.
>
>> Its like your car. If you lock the doors, most thieves will move on
>> to a car that ISN'T locked.
>
>
> Except that a router doesn't add any security.

I totally aggree with you Sebastian, the companies try to suggest security
is a drag and drop thing. As you can see these tactics helps to sell the
most crap.

cheers

In article <fmd6mm$6mg$01$2 [at] news.t-online.com>,
Burkhard Ott <b.ott [at] derith.de> wrote:
>Am Sat, 12 Jan 2008 21:34:29 +0100 schrieb Sebastian G.:
>
>
>> The router adds exactly zero protection.
>>
>>> Its like your car. If you lock the doors, most thieves will move on
>>> to a car that ISN'T locked.
>>
>>
>> Except that a router doesn't add any security.
>
>I totally aggree with you Sebastian, the companies try to suggest security
>is a drag and drop thing. As you can see these tactics helps to sell the
>most crap.
>
>cheers

A router doesn't, but any home broadband gateway with more than one
RJ45 jack on the inside ever made is going to run NAT and NAT is a
drop-dead firewall for incoming connections.

That's exactly what the vast majority of retail computer users need as
a big part of a safe computing regime.

Al Dykes wrote:


> A router doesn't, but any home broadband gateway with more than one
> RJ45 jack on the inside ever made is going to run NAT and NAT is a
> drop-dead firewall for incoming connections.


Apparently you don't understand how NAT works. Dropping an incoming packet
is only done if others means of routing the packet fail:
- existing NAT states (denote that this can be triggered at the client)
- Layer 7 protocol helpers
- a DHCP's server knowledge about connected clients
- UPnP and network topology discovery
- guessing the most likely target (!)

> That's exactly what the vast majority of retail computer users need as
> a big part of a safe computing regime.


Nonsense. The vast majority abuses MSIE as a webbrowser, MSOE as a
newsreader, Windows Messenger as IM and Windows Media Player as media
player, and a router doesn't change anything about this trivial exploitability.

Tom In Maine writes:

> Although I use only one computer. I would like to add a router for the
> firewall protection.
>
> Any specific suggestions?

Hi Tom,

Don't let Sebastian's cheery demeanor and pedantry over terminology
dissuade you from a good idea of some hardware based protection
between you and the internet. Right after he tells you that what you
propose is a bad idea, he'll be sure to tell you that the "firewall"
software that is currently the only thing keeping your computer from
unsolicited internet traffic is completely inadequate.

what's your budget? If "under $100" is the target, a lot of folks
have used the Linksys BEFSR41 (wired) or WRT54GL (includes wireless
functionality) to good success. Both include a stateful packet
inspection hardware based firewall. It's not a "real" firewall in the
way boxes costing several times this would be, but it's also largely a
plug and play effort versus spending a signficant portion of your week
learning to configure it.

Wired only:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124 001&Tpk=befsr41

Wireless as well, and the version that lets you grow into 3rd party
firmware if you ever decide to play with it:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124 190

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> Tom In Maine writes:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
> Hi Tom,
>
> Don't let Sebastian's cheery demeanor and pedantry over terminology
> dissuade you from a good idea of some hardware based protection
> between you and the internet.


It's not pedantry that makes a router not a protection...

> Right after he tells you that what you
> propose is a bad idea, he'll be sure to tell you that the "firewall"
> software that is currently the only thing keeping your computer from
> unsolicited internet traffic is completely inadequate.


Nonsense. After all, unsolicited traffic should not be a problem at all -
conversely, if it is, then a firewall can't help either.

In article <5v0rhoF1jv7mcU1 [at] mid.dfncis.de>, seppi [at] seppig.de says...
> Nonsense. After all, unsolicited traffic should not be a problem at all -
> conversely, if it is, then a firewall can't help either.

Except that most Windows users have computers that don't properly block
unsolicited traffic, and most are subject to very weak security
implementations.

A simple NAT router is protection against being reached by unsolicited
traffic and does a great job at it.

At the very least, a simple NAT router is the first line of defense for
home users.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free [at] rrohio.com (remove 999 for proper email address)

Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:


> At the very least, a simple NAT router is the first line of defense for
> home users.

no, thats not true, with the router the net behind that device is not more
or less secure, think about the zombies in bot nets.
does all those user don't have nat router's? ;)


cheers

In article <fmfie6$kqj$1 [at] el-srv04-CHE.srvnet.eastlink.de>,
Burkhard Ott <postmaster [at] derith.de> wrote:
>Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:
>
>
>> At the very least, a simple NAT router is the first line of defense for
>> home users.
>
>no, thats not true, with the router the net behind that device is not more
>or less secure, think about the zombies in bot nets.
>does all those user don't have nat router's? ;)
>
>

Good point. A NAT router is just part of the safe computing toolbox.

If you don't keep your software patched and then you click on an evil
email or website, poof, you're a zombie.

You need ant-virus software. I also use and recommend the etc/hosts
file distributed by these good folks. It blocks mor ethan 7,000 sites
that are known to be evil in some way.

http://www.mvps.org/winhelp2002/hosts.htm

Anti-spyware gets run once in a while, too.

In article <fmfie6$kqj$1 [at] el-srv04-CHE.srvnet.eastlink.de>,
postmaster [at] derith.de says...
> Am Mon, 14 Jan 2008 06:32:50 -0500 schrieb Leythos:
>
>
> > At the very least, a simple NAT router is the first line of defense for
> > home users.
>
> no, thats not true, with the router the net behind that device is not more
> or less secure, think about the zombies in bot nets.
> does all those user don't have nat router's? ;)

Think about how the NAT means that the bots out on the net can't reach
the machine behind the NAT.

Once a machine is compromised all bets are off, but we're not talking
about compromised machines, we're talking about how to best keep from
being compromised.

A NAT router will allow you to be unreachable while you install your OS,
while you do many things, from behind it, so that you can configure your
machine to be more secure.

The inbound barrier is a MUST HAVE solution.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free [at] rrohio.com (remove 999 for proper email address)

Am Mon, 14 Jan 2008 10:39:55 -0500 schrieb Leythos:

> A NAT router will allow you to be unreachable while you install your OS,

depends on the router configuration, sometimes a firmware bug helps to
make your network reachable

> while you do many things, from behind it, so that you can configure your
> machine to be more secure.

it is the same security, if you download update files and your DNS is
poisened you think you installation is save...

> The inbound barrier is a MUST HAVE solution.

not really

cheers

In article <fmg0fr$qat$1 [at] el-srv04-CHE.srvnet.eastlink.de>,
Burkhard Ott <postmaster [at] derith.de> wrote:
>Am Mon, 14 Jan 2008 10:39:55 -0500 schrieb Leythos:
>
>> A NAT router will allow you to be unreachable while you install your OS,
>
>depends on the router configuration, sometimes a firmware bug helps to
>make your network reachable
>
>> while you do many things, from behind it, so that you can configure your
>> machine to be more secure.
>
>it is the same security, if you download update files and your DNS is
>poisened you think you installation is save...
>
>> The inbound barrier is a MUST HAVE solution.
>
>not really



When doing a fresh install, I have to be behind a firewall. I've seen
a new W2K machine infected via a viral probe minutes after it first
connected to the net, before the patches could be applied.

I've hooked up IP logging for attempts for incoming connections and
they pop up on a regular basis.

In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
and I install patches as soon as they come out. And I pray.

Al Dykes <adykes [at] panix.com> wrote:
> When doing a fresh install, I have to be behind a firewall.

You do? I simply need to pull the network plug. Before getting updates
it's sufficient to not provide any services on the external interface.
You can do that either by yourself if you're knowledgable enough, or you
can use the script from [1] or the program from [2].

I agree that it's probably more convenient to use a packet filtering
router instead, though.

> I've seen a new W2K machine infected via a viral probe minutes after
> it first connected to the net, before the patches could be applied.

That won't happen if the box doesn't have exploitable services available
on the external interface.

[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
[2] http://www.dingens.org/index.html.en

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

In article <fmg4ncUss5L2 [at] news.in-ulm.de>,
Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
>Al Dykes <adykes [at] panix.com> wrote:
>> When doing a fresh install, I have to be behind a firewall.
>
>You do? I simply need to pull the network plug. Before getting updates
>it's sufficient to not provide any services on the external interface.
>You can do that either by yourself if you're knowledgable enough, or you
>can use the script from [1] or the program from [2].
>
>I agree that it's probably more convenient to use a packet filtering
>router instead, though.
>
>> I've seen a new W2K machine infected via a viral probe minutes after
>> it first connected to the net, before the patches could be applied.
>
>That won't happen if the box doesn't have exploitable services available
>on the external interface.
>
>[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
>[2] http://www.dingens.org/index.html.en
>


It's much easier and safer to be behind a NAT box.

On 13 Jan 2008 19:30:05 -0600, comphelp [at] toddh.net (Todd H.) wrote:

>Tom In Maine writes:
>
>> Although I use only one computer. I would like to add a router for the
>> firewall protection.
>>
>> Any specific suggestions?
>
>Hi Tom,
>
>Don't let Sebastian's cheery demeanor and pedantry over terminology
>dissuade you from a good idea of some hardware based protection
>between you and the internet. Right after he tells you that what you
>propose is a bad idea, he'll be sure to tell you that the "firewall"
>software that is currently the only thing keeping your computer from
>unsolicited internet traffic is completely inadequate.
>
>what's your budget? If "under $100" is the target, a lot of folks
>have used the Linksys BEFSR41 (wired) or WRT54GL (includes wireless
>functionality) to good success. Both include a stateful packet
>inspection hardware based firewall. It's not a "real" firewall in the
>way boxes costing several times this would be, but it's also largely a
>plug and play effort versus spending a signficant portion of your week
>learning to configure it.

Thanks Todd.

I decided to go with a Netgear RP614.

Thank you and everyone else who responded with help.

adykes [at] panix.com (Al Dykes) writes:

> In article <fmg4ncUss5L2 [at] news.in-ulm.de>,
> Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
> >Al Dykes <adykes [at] panix.com> wrote:
> >> When doing a fresh install, I have to be behind a firewall.
> >
> >You do? I simply need to pull the network plug. Before getting updates
> >it's sufficient to not provide any services on the external interface.
> >You can do that either by yourself if you're knowledgable enough, or you
> >can use the script from [1] or the program from [2].
> >
> >I agree that it's probably more convenient to use a packet filtering
> >router instead, though.
> >
> >> I've seen a new W2K machine infected via a viral probe minutes after
> >> it first connected to the net, before the patches could be applied.
> >
> >That won't happen if the box doesn't have exploitable services available
> >on the external interface.
> >
> >[1] http://www.ntsvcfg.de/ntsvcfg_eng.html
> >[2] http://www.dingens.org/index.html.en
> >
>
>
> It's much easier and safer to be behind a NAT box.

Yup.

--
Todd H.
http://www.toddh.net/

Al Dykes <adykes [at] panix.com> wrote:
> Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
>> Al Dykes <adykes [at] panix.com> wrote:
>>> When doing a fresh install, I have to be behind a firewall.
>>
>> You do? I simply need to pull the network plug. Before getting
>> updates it's sufficient to not provide any services on the external
>> interface. You can do that either by yourself if you're knowledgable
>> enough, or you can use the script from [1] or the program from [2].
>>
>> I agree that it's probably more convenient to use a packet filtering
>> router instead, though.
>>
>>> I've seen a new W2K machine infected via a viral probe minutes after
>>> it first connected to the net, before the patches could be applied.
>>
>> That won't happen if the box doesn't have exploitable services
>> available on the external interface.
>
> It's much easier and safer to be behind a NAT box.

Easier? Yes. And if you re-read my post you'll probably notice that I
already wrote that.

Safer? Not really. Depending on the implementation of the router's
firmware it may not even be equally safe.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Al Dykes wrote:


> Good point. A NAT router is just part of the safe computing toolbox.


Since a NAT router doesn't provide any security by itself, I fail to see how
it could be part of a security concept. After all, NAT is supposed to
provide, not to limit connectivity (and the RFC explicitly states so).

> You need ant-virus software.


Need?

> I also use and recommend the etc/hosts file distributed by these good folks.


Which is about the most stupid suggestion of the month.

> Anti-spyware gets run once in a while, too.

Well, yeah, to show how incompetent it is. But where's the relation to
security? It's not like the output of such software would have any relevance
whatsoever.

Al Dykes wrote:


> When doing a fresh install, I have to be behind a firewall.


Huh? Why?

> I've seen a new W2K machine infected via a viral probe minutes

> after it first connected to the net, before the patches could be applied.

So what? After less than a second of running a configuration script you have
exactly zero open ports.

Even further, what about the packet filter facilities in Win2k? You have
IPFilter, RRAS firewall and IPsec.

> I've hooked up IP logging for attempts for incoming connections and
> they pop up on a regular basis.


So you're spamming yourself with useless log data?

> In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
> and I install patches as soon as they come out. And I pray.


Well, you should. Any of these are so well-suited to hose your system.

In article <fmg691U2ksL1 [at] news.in-ulm.de>, usenet-2008 [at] planetcobalt.net
says...
> Safer? Not really. Depending on the implementation of the router's
> firmware it may not even be equally safe.

And yet, every day, we see how the ignorant are protected from
themselves and their exploitable OS by just such simple devices as NAT
Routers.

Sure, the sun could explode on Wednesday, but, as long as they have a
NAT Router in front of their connection there is a very good chance that
their boxes won't be reached by unsolicited traffic.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free [at] rrohio.com (remove 999 for proper email address)

Sebastian G. wrote:

>
> Even further, what about the packet filter facilities in Win2k? You have
> IPFilter, RRAS firewall and IPsec.
..
..
Admittedly, I'm not an expert by any means, but you have a history of
saying that software packet filters are easily circumvented, and is the
reason that all the software firewalls are useless?

Ryan P. wrote:

>> Even further, what about the packet filter facilities in Win2k? You have
>> IPFilter, RRAS firewall and IPsec.
>
> Admittedly, I'm not an expert by any means, but you have a history of
> saying that software packet filters are easily circumvented, and is the
> reason that all the software firewalls are useless?


The above are all host-based packet filters implemented purely in software
without any hardware acceleration. They are placed within the NDIS stack, so
they apply before the packets gets addressed to the applications which
requested ports/sockets. The work absolutely well for the mentioned scenario.

What they can't address reliably, and therefore don't even try to, is
filtering outbound traffic, especially not by application.

Maybe you also twisted it a bit because many other packet filter
implementations from other vendros, commonly known as the "personal
firewall" crap, are horrible error-prone implementations that can be easily
circumvented, abused and exploited, both on the network and application level.

In article <fmg691U2ksL1 [at] news.in-ulm.de>,
Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
>Al Dykes <adykes [at] panix.com> wrote:
>> Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
>>> Al Dykes <adykes [at] panix.com> wrote:
>>>> When doing a fresh install, I have to be behind a firewall.
>>>
>>> You do? I simply need to pull the network plug. Before getting
>>> updates it's sufficient to not provide any services on the external
>>> interface. You can do that either by yourself if you're knowledgable
>>> enough, or you can use the script from [1] or the program from [2].
>>>
>>> I agree that it's probably more convenient to use a packet filtering
>>> router instead, though.
>>>
>>>> I've seen a new W2K machine infected via a viral probe minutes after
>>>> it first connected to the net, before the patches could be applied.
>>>
>>> That won't happen if the box doesn't have exploitable services
>>> available on the external interface.
>>
>> It's much easier and safer to be behind a NAT box.
>
>Easier? Yes. And if you re-read my post you'll probably notice that I
>already wrote that.
>
>Safer? Not really. Depending on the implementation of the router's
>firmware it may not even be equally safe.



A NAT box set to factory defaults is perfect block for attempted
incoming connections.

Al Dykes wrote:


> A NAT box set to factory defaults is perfect block for attempted
> incoming connections.

For arbitrary stupid definitions of "perfect".

In message <fmfie6$kqj$1 [at] el-srv04-CHE.srvnet.eastlink.de> Burkhard Ott
<postmaster [at] derith.de> wrote:

>no, thats not true, with the router the net behind that device is not more
>or less secure, think about the zombies in bot nets.
>does all those user don't have nat router's? ;)

Most of the zombies on the market today were installed by a user.

Classic Trojan horse, no OS on the market is more or less secure against
a user with administrator/root rights and the will to use 'em.

In message <fmg1k4$qbi$1 [at] panix5.panix.com> adykes [at] panix.com (Al Dykes)
wrote:

>When doing a fresh install, I have to be behind a firewall. I've seen
>a new W2K machine infected via a viral probe minutes after it first
>connected to the net, before the patches could be applied.

Windows 2000, sure. In practice, with WinXP SP2 (and newer) that simply
hasn't been the case.

>In my laptop, I have a PFW, A/V software, the hosts file from mvps.org
>and I install patches as soon as they come out. And I pray.

My condolences.

DevilsPGD wrote:


> Windows 2000, sure. In practice, with WinXP SP2 (and newer) that simply
> hasn't been the case.


Wrong. There's a patchable vulnerability in the TCP/IP stack, which,
depending on the router's implementation, might be exploitable from the
outside. However, the risk is very low, since it would require the attacker
to sit within your ISP's network infrastructure to bypass their ingress
filtering.

Al Dykes <adykes [at] panix.com> wrote:
> Ansgar -59cobalt- Wiechers <usenet-2008 [at] planetcobalt.net> wrote:
>> Al Dykes <adykes [at] panix.com> wrote:
>>> It's much easier and safer to be behind a NAT box.
>>
>> Easier? Yes. And if you re-read my post you'll probably notice that I
>> already wrote that.
>>
>> Safer? Not really. Depending on the implementation of the router's
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> firmware it may not even be equally safe.
>
> A NAT box set to factory defaults is perfect block for attempted
> incoming connections.

Either you didn't read, or you didn't understand what I wrote. Try
again.

You may also want to explain how that were safer than a box which simply
doesn't accept incoming connection attempts.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Am Tue, 15 Jan 2008 12:23:25 +0100 schrieb Sebastian G.:


> Wrong. There's a patchable vulnerability in the TCP/IP stack, which,
> depending on the router's implementation, might be exploitable from the
> outside. However, the risk is very low, since it would require the attacker

you probably mean that?
http://www.securityfocus.com/bid/27100

In article <fmiaoeUmu0L1 [at] news.in-ulm.de>, usenet-2008 [at] planetcobalt.net
says...
> You may also want to explain how that were safer than a box which simply
> doesn't accept incoming connection attempts.

You may want to explain how you get a box, used by the ignorant masses,
the uneducated idiots, the 90% of the people that use a Windows PC, to
not accept inbound connections.....

Face it, a NAT router is going to be a better security implementation
than what the masses have the ability to do on their own.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free [at] rrohio.com (remove 999 for proper email address)