[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Routing

Chris Adams wrote:
Once upon a time, John Summerfield <debian herakles homelinux org> said:
1. Worm infection is less likely, you cannot (easily) infect my home or office computers because you cannot see them. Hiding behind NAT also protects your users from attacks on ssh, ms sqlserver and all those other things I see getting logged.

NAT is a special case of a stateful firewall (the difference is that NAT
is also a packet mangler).  If you are trying to block something, use a
firewall, but try to avoid mangling packets in the process.

In any case, a firewall or NAT only gives a little protection, even on
the office LAN.  As soon as the owner's high school kid comes in with a
notebook infected at his buddy's house, your NAT/firewall does no good.
Also, as long as you have end users, you have entry points (they'll
click on anything).

That is not how worms attack. Trojans, yes. Viruses another problem. I'm not talking here about viruses and trojans.

I've seen conflicting definitions, here are mine:

Viruses: malware generally spread by email.
Trojans: User installs this great program, that does things (usually) not disclosed. Worms: spread autonomously. Code Red us a famous one from a few years ago. They need direct access to the victim. Thos Paine reported (on Vahalla list I think) that a Windows SBS system he was setting up couldn't stay uninfected long enough to download the latest fixes.

I've seen a virus work. Tje process worked by enumerating a list of users and passwords using (that I know of) ftp, smtp and ssh. Victims with vulnerable accounts got a GPL-licenced IRC bot installed (complete with source code), and the system proceded to search for further victims. Where root's account was cracked, it also installed some binaries (which caused the system to crash, a good sign something was amiss) and sent email reporting the IP address of eth0 so the successful cracker could do more. Since the IP address was 192.168.0.x it wasn't very useful.

2. Does a redirect rule for SMTP not work?

That's SMTP.  You've now "solved" (with even more packet mangling) one
out of thousands of protocols.

That's spam and email-borne viruses. Both major problems.

In both cases though, you are still looking at a massively expensive
undertaking for an ISP.  We're a small ISP, and we handle around 200

Less than scanning incoming email, surely.

megabits per second of traffic.  Something that can even do stateful
firewalling (with all the necessary uptime, security, and redundancy) at
that level is not cheap; would you like your DSL or cable modem cost to
increase $50 this month?

Can you substantiate that figure?



-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice

You cannot reply off-list:-)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]