June 28th, 2002, 08:34 AM
I currently have a basic Netgear NAT router. It's good, reliable, and does it job. However, I want to secure myself a little more than what NAT does. So I'm strongly considering a new firewall implementing stateful packet inspection. Why am I so paranoid? Well I am nearly always on IRC - which is a packet/script kiddie haven. This new firewall I seen (for a good price) claims to prevent Denial of Service (DoS) attacks such as Ping of Death/Teardrop, SYN Flood/LAND Attack, Smurf Attack, IP Spoofing, Port Scan, etc. It also incorporates NAT.
From what I can tell, NAT doesn't block DOS attacks. It just hides your internal network from the outside world. Will a stateful packet inspection firewall be a good investment over just a NAT firewall to increase security? But then again, I've heard nothing will protect you from DoS attacks. You're router will still get hit with the packets, it just won't respond (so it will still consume your bandwith thus knock you off). Is this right? And should I get a stateful packet inspection router (with NAT) over a router with just NAT? Thanks.
June 28th, 2002, 08:42 AM
A better investment would be an old PC (eg a dusty old 486 etc)
install *nix and a 2.4.x kernel and play with Iptables.
and it's very configurable!
Better than anything you could go out and buy unless you've got more $ than sense.
It can work with modem / ISDN / xDSL / and much much more.
[glowpurple]manually editing your config files can break them. If this happens, you get to keep both pieces. [/glowpurple]
June 28th, 2002, 08:55 AM
Yea, configuring iptables is extremely powerful and you can customize it to your specifications. I hear good things about OpenBSD though I know that there are easy to use firewall scripts available for linux. They come with some red hat books. Do some looking around for good *nix OSs.
June 28th, 2002, 09:09 AM
Would this be more secure than a stateful packet inspection hardware firewall? That would probably also depend on ones ability to configure it correctly. I've never done this but hopefully I wont have problems after reading it over.
And also, wouldn't I need some sort of hub/switch to go with it. I have 3 PCs at home (2000, 98, and Linux) and I want them all to share my cable modem access. Getting a 2nd NIC and a hub/switch will be an investment like the router would be.
June 28th, 2002, 07:52 PM
I think NAT is a lot more secure than some other people seem to think.
If you use NAT, your internal systems can *ONLY* be attacked if packets reach them via a NAT rule. If you use (as most NAT gateways do), a masquerading-style dynamic NAT rule, the only incoming packets which can reach an internal host are responses to its outgoing messages. (Of course static NAT rules such as port forwarding make this argument null and void)
There are some client attacks of course which cannot be prevented via this, so you should always keep client software patched (esp. browsers and IRC clients)
Stateful firewalls or any other type of firewalls can generally not prevent these attacks either, as they happen at the application layer.
Of course having a NAT router doesn't prevent the router itself from being subject to attacks - therefore you should keep it patched too - however the chances of a remote exploit are much lower given that the router itself probably offers few (if any) externally visible services.
IMHO the only level up from a NAT router with a decent config is to have a non-routing firewall which uses application layer proxies, which is a lot of effort because it's not at all transparent to client applications.
Additionally many client program attacks can get through one of these - so why bother?
June 28th, 2002, 08:06 PM
[QUOTE] Originally posted here by slarty
[B]I think NAT is a lot more secure than some other people seem to think.
I did buy an xDSL router and had no attacks anymore.
nat did filter them out 100% till now![dec 2001 till this day]
i m gone,thx everyone for so much fun and good info.
cheers and good bye
July 16th, 2002, 09:56 PM
You are right, very little can protect you from DoS attacks. (I assume you mean the traffic flooding type of DoS since a NATted device would be fairly well protected from DoS exploits).
Firewalls typically do not do the job. Usually, they just look at the packet to determine if the traffic is valid. They don't care how much traffic comes through. What you need is a device that uses a "clipping level" indicator. A clipping level is a value that you set in a device to tell it that too many of a certain type of event is occuring. Often, this type of a setting can be found in an IDS, rather than a firewall. It will examine the packets on a network, looking for a type and quantity of traffic that exceeds the clipping level.
For example, if someone is trying to flood your workstation with pings, the device may detect that there have been 1000 pings in the last 10 seconds. With the clipping level set at 100 pings per 10 seconds, it will realize that you are under attack and take appropriate action. Many types of DoS can be detected this way.
Now that you have detected the DoS, the next problem is dealing with it. The good IDS's will be capable of paging you, emailing you or even sending commands to your firewall to turn off the connection to the site sending the DoS (Although that's usually pretty tricky).
A few people have mentioned the snort IDS here. I don't know if it offers clipping level functions. ISS has an IDS called RealSecure that does clipping levels (to a point). It will also try to talk to your firewall if a clipping level is hit.
Now, all that aside, if someone attacks your firewall with a DoS, you're usually out of luck. Even if you tell the firewall to ignore the source, it still has to examine and discard every packet that comes in, using up cycles and memory. Usually, your only option at that point is to call your ISP and ask them to filter out the traffic.
July 16th, 2002, 10:20 PM
I have a really old 386 sitting in my bedroom, which I would like to install linux on and use it as a firewall, but it has no NIC. MY question: to use an old computer like that as a firewall, does it have to have 2 NICs (One in, and one out)? What's the exact physical setup with that?
Wouldn't putting an old 386 in there really slow down the connection speed?
Either get busy living or get busy dying.
-The Sawshank Redemption
July 16th, 2002, 10:43 PM
if you really want to go there...
You actually can do it all on one NIC, BUT I do NOT recommend it. Also, using a 386 is ok for home use, though I'd recommend at least a 486.
Here are some links you may find interesting if you're thinking about using Linux firewalls:
If you're looking for a quick firewall setup, I'd recommend you stay with a hardware based appliance, as they are usually quick and easy. NAT will usually help protect you, as far as incoming attacks, unless you use forwarding NAT or PAT to allow incoming packets. You should also be careful of outgoing filters to, or better yet, have personal firewalls on your workstations to help protect you against trojans (most appliances allow all outgoing packets for simplicity sake).
If you're interested in learning about Linux/Firewalls, Linux Iptables is the way to go (in my opinion, then again I still like old Ipchains *listens to the collective groans*). As far as DoS attacks, the best thing to do is not p!$$ off the wrong peeps, heh. Seriously, even with the best firewall (I like to use Watchguard when I don't use Linux Iptables firewalls), if your bandwidth gets chewed up, there aint to much to do for the average home user other than call your ISP. You might want to check out http://grc.com/dos/drdos.htm for some info on DoS attacks. Good luck to ya!
...to fly upon the wings of imagination is to have the key to the world...
July 16th, 2002, 11:00 PM
I think your right on the money my man. Go buy a nice HW firewall. Sonicwall - www.sonicwall.com - makes a great product, at a reasonable price. I have used several models in the past and currently use the sonicwall pro.
They are simply awesom. Easy to configure, and work great. Just my 0.2.