Results 1 to 11 of 11

Thread: NAT, 10.*.*.*, and SOHO defenses

  1. #1
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    In another of the fora, Randy poses, "What hardware and/or software do others use. Will my router provide enough protection?" Good questions!!

    Here's my setup in brief:

    ISP <-> outside of ABS (dynamic, routable IP number)

    ABS (10.0.1.1) is DHCP server, default router, and NAT provider <-> hosts on the inside net.

    All inside hosts are on the unroutable 10.* Class A net.

    I have no "listener" ports enabled on the ABS, so the only traffic that can reach any host on the inside is in response to an outbound connection initiated from an inside host. The wireless net on the ABS is named and private.


    What's my biggest worry? A browser plug-in or Java hole or a downloaded program opening a connection to the outside world and inviting the perpetrator onto my system through a connection actually opened from the inside out.

    Jazzbo

    PS. Look out, my first follow-up (coming shortly) has the nasty details loaded up.

  2. #2
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Question: is the following useful or is it so bloody long-winded that it's just noise?

    What I do is to firewall with a NAT-equiped router (an Airport Base Station -- one of the new models with two e-nets and a modem->telco port). You can do this with *any* good firewall box -- a Quadra (if you can find the TCP/IP config solution), a Linux, a Solaris-8, or any of a fairly large stable of dedicated firewall products. Remember, though, that the more OS and assets you put into the firewall host, the more a hacker can do with it if s/he breaks into the firewall, itself.

    A router is a host with connections to more than one network, configured to pass traffic between them.

    NAT (Network Address Translation) is the first key to my defenses. The way this works is that a firewall or firewalling router (in my case) is a host with IP legs on the soft inside net and the dangerous outside Internet. As far as the upstream ISP -- or anything else on the whole Internet -- knows, there is one and only one host at my end: an uninteresting ABS with nothing to break into.

    The ABS runs the PPP connection (O, for DSL on my street!!), not any of the Macs or the SPARC/Solaris (shut off at the moment). Now, I get Dynamic IP Assignment from my ISP, which merely means that the window-of-opportunity for an attacker is narrow in time: fixed IP requires the same defenses, so again the approach I'm taking is common if you're one of the lucky folks with a fixed IP address.

    Okay, the outside world sees: path-through-my-ISP -> my one-and-only IP (on the ABS).
    What do I see on the inside?

    ISP
    |
    | the outside net
    |
    ABS
    | the 10.0.1.* net
    -+------+------+--------+------- Mac
    Mac PB Printer Solaris

    The ABS has the local IP number 10.0.1.1 and its outside, Internet IP number is whatever my ISP assigns it when I connect. All of the inside hosts have IP numbers in the net 10.0.1.* (mask 255.255.255.0). But, "Why?"

    It turns out that there are a few zones of IP numbers (mentioned elsewhere) which are "non-compliant", which is to say "unroutable across the Internet" and reserved for private use. *Anyone* can safely deploy a network from these pools without uprooting their own connectivity to some other, legitimate destination on the outside Internet. (The whole of 10.anything is one of these unroutable networks.) It *also* means that even if someone knew you had a Mac at, say, 10.0.1.203 on your home net, it's *impossible* for them to direct traffic to it except through a proxying or NATting gateway. Like the ABS. Follow?

    Assuming the ABS has currently got the Internet connection up and running, when it receives traffic from any inside host destined for the outside world -- and it will, since it's the default router (10.0.1.1) for all the inside hosts -- it *replaces* the inside-host's 10.0.1.* IP number with its own, outside and routable IP number, and ships off the request to the next router up at the ISP. As replies come back, addressed to *its* outside IP number, it edits the "TO" address back to that of the requesting inside host and puts it up on the inside network. Nobody inside or outside even knows it did this.

    The added defense is that by default, it won't deliver anything from the outside world to an inside host except in response to a request from the insider! That means that unless *I* decide to run a program which talks outside and thus opens selected ports for responses, outside traffic never gets onto my inside net. No way for port-querying scanner programs to find anyone home because I did *not* configure the ABS to pass any traffic to the inside except when they are responses.

    I could, but I don't need to ssh home from work and I don't run a full-time-connected web-server (some of the reasons to open selected ports for unsolicited external traffic). Configuring safely for *those* operations is another whole discussion.


    Will your router provide enough protection? It depends. I'm reasonably satisfied with my NAT-based approach and tend to run commercial Internet programs (browsers, search engines, email clients, etc.). I do *not* run uSoft programs, ever, at all, because they've historically been overly-functional and too attractive as assault targets (bang for the hacker's development bucks). However, by browsing I do open a return port. Sigh. There's no such thing as a completely safe Internet connection. Gotchas:

    - Will your router accept "terminal" connections from the outside? (ie. admin access from the Internet!! Bad-bad-bad)
    - Do you have a non-obvious (set of) password(s) on the router? On your hosts?
    - If it's an ABS, have you set it for a named, private wireless net?
    - If you have PCs, are the NetBOUIE (sp?) ports blocked? The ATALK-tunneling ports?

    If you run a wide-open router -- that is, no NAT and just a little in the way of port controls -- then it's not really the router that's defending the farm, it's how solid your OS(es) is(are) and how dilligent you are in selecting good passwords, monitoring traffic, shutting off network facilities you don't need, and so on and on.

    If you're running a full-fledged OS as your defender, it could be NATting just like my ABS, or it could be a "proxy" server, using programs running on it to accomplish the same sort of end. This can work *really* well, too, but if your proxy server or NAT-equiped host gets hacked, your inside net is wide open unless you've actually firewalled in between the proxy server and the inside net. That's typically far too complex and expensive for SOHO installations (IMHO). A full-fledged host with "IP Forwarding" enabled, which turns its IP stack into a straight-out router, is damned dangerous. Don't do it (except between multiple internal nets only, and even then, wouldn't a router be cheaper?).

    Jazzbo


    [This message has been edited by Jazzbo (edited 11 June 2002).]

  3. #3
    Join Date
    Feb 2002
    Location
    York, PA, USA
    Posts
    339

    Default

    Jaz,

    That's good info... I have a "firewall safe" router from NetGear which I hook into my DSL line, then link up my G4, PB G3 and my girlfriend's Winders laptop (well, I am working on getting the winders machine to actually work).

    I also have Norton on both Macs and she is getting Norton installed from work on her machine. That, to me, is three levels of protection... the router, the OS (Windows ME on her machine for what that is worth!) and the extra software. I am not certain if the router can be configured for stealth mode, so I have been putting Norton into stealth mode on each machine. I also shut off all access to the outside world, except for the internal assigned IP addresses for each machine on the internal network. I pretty much let the Macs have full access to one another and I will probably do the same with the Winders machine if I can ever get it to work. Not sure if doing that is a great idea, especially because I'd like to eventually be able to make secure connections (how I am not sure) from anywhere on the internet to any of the machines, but that is a long way down the road (cause I am still trying to figure out the basics and that is pretty unsafe and advanced).

    Again, great info from all you guys!

    Thanks.

    Anthony

  4. #4
    Join Date
    Sep 2000
    Location
    Boston MA, USA
    Posts
    168

    Default

    I'm running a Similar Setup:

    DSL Modem
    |
    |
    Asante Router/Switch running NAT (192.X.X.X)
    |
    |
    Netowrk of Mac's, PC's and Printers (with Anti-Virus but no personal firewalls)


    Nothing Exotic at all.


    I also have no ports forwarded and no addressable machines and am pretty strict about plugins and downloaded programs.

    If I do run a filesharing app, I make sure that it, and all of it's services are stopped when I'm done. A good reboot can help that too as long as there are no startup services.

    Jazzbo, I'm assuming that you have WEP turned on at the ABS?


    ~~~Eric~~~

  5. #5
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    I have blocked services and ports in the router, stealth mode and redundancy in FireWalk X. I've tried testing it out on dslreports.com and it seems as secure as possible. I was thinking of turning my 7300 (now running 10.1.5 but if I hadn't been able to do that I was thinking of putting linux on it) into a firewall server also.

    I noticed that Jaguar will offer basic firewall service in sytem preferences.

    I would never want to allow chat or IM or IRC. I would like to use Timbuktu but don't - and if I did, just on the local LAN.

    You can also run MacAnalysis along with another firewall. FireWalk doesn't use the built-in ipfw but can be used together (I think there is a performance hit though.)

    So far, there aren't any OS X specific virus or trojan horse/WORMs.

    Gregory

  6. #6
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    By the way, per RFC 1918 at http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1918.html here are the reserved "private" networks, unroutable across the Internet:

    --- begin quote ---
    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

    10.0.0.0 - 10.255.255.255 (10/8 prefix)
    172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
    --- end quote ---

    Jazzbo

  7. #7
    Join Date
    Sep 2000
    Location
    Boston MA, USA
    Posts
    168

    Default

    Ah, yup, that was the listing I was thinking of!

  8. #8
    Join Date
    Jan 2002
    Location
    NW Montana
    Posts
    8,197

    Default

    Hey guys - I been out of touch some. Looks like there is some great info going on here - GREAT job. I will be back - with questions not answers. bummer hey

    Randy

  9. #9
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Love them questions, Randy! The ones of yours I quoted as I started this topic are the same ones asked in multi-megabuck enterprise data centers getting ready for Internet connectivity. You know, it takes insight to identify the right questions, and you hit these spot on. And look at the crowd you attracted.

    My only possible advantage over you in answering some of them quickly is that I remember when dirt was new and have had to struggle and research and ask some of the sub-questions before. Newer and better answers to help me fill in more blanks have arrived in follow-ons from Gregory, Anthony, and Eric in this topic alone, and that's just "so far".

    Hey, gents: You're a cool team!

    Jazzbo

  10. #10
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    Eric,

    You asked, "I'm assuming that you have WEP turned on at the ABS?"
    *Now* I am! I'd overlooked it entirely until you asked. Thanks! (Whew)

    Jazzbo

  11. #11
    Join Date
    Sep 2000
    Location
    Boston MA, USA
    Posts
    168

    Default

    Bring on any questions, between all of us, someone will either know the answer or know where to find it! We can all expand our knowledge together, and isn't that what this forum is for?


    And any of you running wireless like Jazzbo, make sure that you turn on WEP (Wireless Encryption Protocol), otherwise, you're a free range target.


    I read an article recently where a few people bought a directional antenna then drove around NYC and went to different roof tops to see how many Wireless Access Points (yes another acronym, WAP) they could find.

    I think that that they found like 140 or so networks in just a few hours, over 80% were not secured and they could just start browsing their networks and access the internet. Of the remaining 20% most were sill broadcasting information about the company that could be used to gain access, and like less than 2% were "truly" secure.

    Don't quote me on the percentages, but the jiist was most were not secure and freely allowed any user to connect.

    But "truly secure" goes back to the original pricipal of netowrk security:
    If you're visible, there IS a way to get in, it just isn't known yet.

    As you can imagine, WAP's create real havoc for Network Administrators (like me) who could have any user bring in a WAP, put it at their desk because they wanted to look at CNN.COM while in the break room, and leave a gaping hole in the network that you work so hard to secure. Wired networks don't extend outside of the building unless you run some patch cable so it's easy to manage, but wireless can extend completely off the premises and you really can't tell how far.

    Should be interesting to see what technology rolls out next. The higher speed wireless is around the corner, but as far as I know, it's just as insecure.

    ~~~Eric~~~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •