computers behind routers/modems

[gunit0072003]

arthurking

If your router (the linksys) does not have any ports open, you are safe..
assuming the router is doing PAT and not NAT..
and your inside addresses are RFC1918 addresses.
(which they're most likely are)
With PAT, connctions are initiated from the inside
and with NAT, connections can be initiated from outside.

Also, for the price of a Linksys router, you can buy yourself
a Really good Firewall which acts as a router but is more
robust than Linksys.

You can gut yourself "checkpoint" firewall (501 series) a used one off ebay
that acts as a router (just cant turn on routing protocols)
It supports VPN (IPSEC)
Statefull inspection firewall
and protects you from most types of DoS attacks.

see white paper: http://www.clearview.co.uk/docs/nets...irewall_wp.pdf

Just an opinion....

[golam]

Sounds like you have a reasonably protected connection arthurking. The best test is to go to another connection point on the net (at a friend's house for example) and run a scan from there. I don't put much faith in these scans performed from free commercial sites.

The only thing that you need to check is that you have the correct IP address. You want to check this on the WAN side of your router before you run the scan. Unless you pay for a static IP address from your ISP - your WAN address can/will change.

Just a note on the PAT and NAT comment from gunit0072003.
PAT is Port Address Translation
NAT is Network Address Translation

Both of these can happen in either direction, and can change several times as an IP packet travels between source and destination.

NAT is generally used to either "Hide" internal addresses from an external source, or to allow a private IP address range to communicate over the Internet (private IP address are generally not routable over the Internet.) So a business may use several private ranges within their internal network but only need to pay for one public IP number when connecting to the Internet. NAT swaps the addresses as the IP packet leaves the business network via a router or firewall.

PAT is used generally by proxies to keep track of outbound connections to the WWW.
The process can be differcult to explain - but if you are interested a guick google for proxies and PAT should find some good info.

Golam

[gunit0072003]

Golam,
With all due respect, your comments on PAT and NAT are not 100% accurate..

what do you mean by your comments:

1) "Both of these can happen in either direction, and can change several times as an IP
packet travels between source and destination. " and

2) "NAT is generally used to either "Hide" internal addresses from an external source, or to allow a private IP address range to communicate over the Internet (private IP address are generally not routable over the Internet.) So a business may use several private ranges within their internal network but only need to pay for one public IP number when connecting to the Internet. NAT swaps the addresses as the IP packet leaves the business network via a router or firewall."



With respect to your 1st comment, are you implying that connections can be initiated from the outside for PAT as well? cause that is so not the case..NAT is a one to one translation..(connections can be initiated from either outside or inside)
it is static/fixed. and does not change..
Public A--Private A
PublicB---Privcate B
" "
" "
Public x---Private x

However with PAT you have dynamic translation..
The dynamic translation only occurs when the router receives a packet from inside
destined for the outside..
Public F---Private A (along with Random port # "abcd")
Public F---Private AB (along with Random port # "efgh")
" "
" "
PublicF---Private x (along with randon port# "pqrs")


And with respect to your second comment, you are referring to PAT not NAT..
PAT is a dynamic translation of many IP addresses to one address and
NAT is a static translation of one unique address to another unique address


With PAT, you use it if you do not require connections to be initiated from the outside
and only have one public address available.

With NAT you use it if you want to conceal/hide your are inside addresses like hosting a server on the inside/ DMZ that receives connections initiated from the outside...usually referenced by a domain name..

Rule of thumb, NAT your servers (Email, DNS, WEB,etc..) they require unique one to one
translation, and PAT all normal user traffic..

sorry for rambling on....

P.S
Some routers can now even with just one public address, apply a static NAT
address mapped to a specific port, where connections can be initiated from outside....

If I misunderstood your statements I apologize....

[golam]

Also with respect, what you say about PAT is indeed true if you are using the device to hide many users accessing the Internet from an internal source out on one public IP address. This is how the proxy or firewall maintains a statefull list of connections and can return responses from the web to the correct internal clients.

I manage several firewalls for my organisation and it is possible to change both network address and port number in either direction through the firewall.
Admittedly it is not often used as NAT is generally enough, but some organisations will use different ports other then standard for added security, and rely on PAT to present the service on the standard port “on the outside”

Golam

[gunit0072003]

Golam,
I think we beat this discussion to death,,,,,lol
MidNyte got an earfull from the both of us
and probably got more than he opted for,,,

Cheers,,,,

[golam]

No worries - its been fun

Cheers

Golam

[Palemoon]

First off I am a bit leary of this thread as a Admin you should have full understanding of Public and private IP's. One can usually set that in the IP scope and know it's range. Second usually the scope is not hard to figure out as most are standard procedure. So knowing these two factors a public IP and a scope range beyond it one really need not do more the apply the usual IP scope range to what ever scanner. Problem is really in figuring out now days the firewalls deployed because some can say things that are not true., and the Admin laughs at the pecks there often. I think with all respect to you that this is the problem to many people have gotten that MCSE end up as admin and well your gonna get soaked a few more bucks for catch up classes in the real world. World is full of MCSE people and yet Blaster gets in why? Cause ya buy into the myth of M$ and an MCSE. Think of a MCSE as a starting point to begin to learn and understand, ya got your learning papers in order
Peace

[phishphreek]

I think with all respect to you that this is the problem to many people have gotten that MCSE end up as admin and well your gonna get soaked a few more bucks for catch up classes in the real world. World is full of MCSE people and yet Blaster gets in why? Cause ya buy into the myth of M$ and an MCSE. Think of a MCSE as a starting point to begin to learn and understand, ya got your learning papers in order

Funny you should mention that...

I had a user call me and say that she was thinking about getting her MCSE so she could get a job in computers makeing $60,000 and all she would have to do is spend $20,000 to take the classes and then go take the test... I couldn't help but to laugh. I know people who have come to the US from other countries with the same theory. They took their MCSE and paid $20,000 for the classes and tests... and tried to get a job. They were turned out at the door and told to get some real learning and some experience and then to come back. After they get more learning and experience... the MCSE is no longer valid (because it expires) and they have to take it all over again... silly people listening to the radio ads...

If you can pass this test... you can sign up for the MCSE... LoL
http://www.computertraining.com/start/testindex.html

[arthurking]

thnx for the info guys. I've never heard of PAT b4 but I've got a netgear router it does NAT. (and SPI) I have a very limited knowledge of these and will learn more as I get younger. One of the reasons for my home network is to learn more about networks etc, and then linux found its way in here, and if I had room, another couple of boxes running other UNIXes. LOL.
I am considering 'breaking' into the IT sector, my current employment is totally unrelated, and thinking about some courses but not MSCE.......yet.

And let me get this straight. If my router doesn't allow a connection into my network(all ports blocked) a real hacker could still get into my network?
I'm reading some of the logs and one eg. is,

Fri, 2003-08-22 23:50:26 - ICMP packet - Source:elite.haxor.on.net ,[Echo Request],WAN - Destination:my.maybe.vuln.net,LAN [Drop] - [Inbound Default rule match]
how does a hacker get into my system? more importantly how can I stop him.

I try to take care in my network against script kiddies more than the elite types, because I'm thinking hackers/crackers (whatever) will go for big fish types instead of the nobody's like me (I keep no sensitive data on the computer, only on removable media like floppies or cdrw at the moment). So I've got to stop them scanning me? I think I'm going to buy this "hacking exposed" book!!

I need more info.

[souleman]

I am considering 'breaking' into the IT sector, my current employment is totally unrelated, and thinking about some courses but not MSCE.......yet.

The IT sector sucks right now. I have been unemployeed since January. The few jobs out there don't pay **** right now. Stay where you are and learn more about IT and wait till this recession is over before you try to change carreers, otherwise your going to wish you hadn't left.

Blocking your ports is enough to keep script kiddies out. As for the real hackers, you only have to worry about them if they have a reason to attack you. But there are ways to get past NAT and PAT. There are things like firewalking and ASMmutate (I believe that was the name, been a while since I looked at it). Then there are always vulnerablitites in firewalls. If a firewall was never vulnerable, why would you have to update it? If NAT was enough to keep out everyone, why don't companies all just put a linksys router on their gatway and end up being safe? Anyone that tells you that NAT or PAT is enough to secure your network is either full of ****, only thinking about script kiddies, or doesn't know the real world.