Reference Manual

HOW TO protect your private machines from hackers:

Machines on a private network connected to the Internet through a machine running NAT32 are quite secure per default, as long as the following conditions are met:

  1. The private network must be physically distinct from the ISP's network.
  2. No permanent port mappings to untrusted applications must be in place.
Condition 1 makes your private machines completely invisible to the Internet, because there is no path from the Internet to your private machines, except through the NAT32 Router. Because traffic from the Internet to private IP addresses is never routed by Internet gateways, the only source of such packets is a hacker's machine on your cable modem (or similar) network. If you ever see such packets arriving in NAT32 over that interface, you should immediately report it to your ISP.

Earlier versions of NAT32 supported a "single adapter" option, allowing the private machines and the ISP's network (cable modem or similar) to be reached via a single adapter. This option was quite useful in cases where resources were limited, but it did increase security risks, because all the private machines were visible to all machines on the cable modem (or similar) network. The "single adapter" option is no longer supported by NAT32.

Condition 2 is important because the only way for a packet from the Internet to reach a private machine is through NAT32's port mapping mechanism. If you choose to add permanent port mappings, it is your responsibility to ensure that the applications which receive such traffic are trusted and securely configured.

HOW TO protect your NAT32 machine from hackers:

  1. Unbind Windows File and Printer Sharing from the Internet Adapter
  2. Stop all unwanted and untrusted services which might be running on the machine
  3. Install all the latest security updates for your operating system and your applications.
Requirement 1 can be satisfied by using Control Panel Network and clicking TCP/IP Properties of the relevant adapter. Under Bindings you will see two checkboxes, both of which should be cleared.

Requirement 2 can be satisfied as follows:

The above listing shows that Windows is listening at several TCP ports and that several UDP ports are open. One TCP connection is established: from Port 1025 on the local machine to Port 1028 on the local machine. Ports 137, 138 and 139 are Windows File and Printer Sharing ports; Port 135 is a Remote Procedure Call Mapper. If you discover any other ports at which Windows is listening, you should determine which application it is that is listening and then check that application very carefully. Be sure that adequate security measures are in place. For example, if you have an FTP server listening at TCP Port 21, be sure to configure strong passwords to ensure that no unauthorized access takes place. Better still, configure your FTP server so that only certain directories can be accessed by authorized users.

Requirement 3 requires constant vigilance, perusal of security bulletins, and the installation of service packs from your OS vendor as these become available. All applications which have published security weaknesses should be updated, as these very quickly become prime targets for hackers. Remember: there is no such thing as an "Install and Forget" firewall, keeping a network secure requires much time and effort.

IMPORTANT

You must warn your users about the risks involved in executing code from untrusted sources, including EXE files, WORD documents and VBS scripts sent to you per email or downloaded from the Internet. No firewall can protect you against viruses and trojans which a user has voluntarily transferred to his/her machine.

Limitations of Firewalls

Be cautious with "personal firewalls", as most of them have severe limitations and may well give you a false sense of security. Some of those limitations are:

  1. A firewall located on the perimeter of the Internet cannot protect your system against "denial of service" attacks.
  2. Firewalls require careful configuration and regular updates if they are to protect your machines against the latest viruses and trojans.
  3. Firewalls can't protect you from attacks on applications which you have enabled, but which contain security flaws.
Limitation 1 is due to the following: should a hacker decide to blast your IP address, only your ISPs firewall can stop this traffic from reaching your system and consuming your bandwidth. By the time the traffic reaches your firewall, it is too late, the bandwidth has already been consumed. Some ISPs don't even run firewalls, and some ISPs are reluctant to put appropriate filters in place. In either case you should definitely change your ISP.

Limitation 2 is due to the fact that most users simply do not have the knowledge and the time needed to keep a firewall secure. Again, security is really a service you should purchase from your ISP, but very few ISPs to date advertise the security levels of their service.

Limitation 3 means that you must inform yourself of the known security holes in all software you are using. Your ISP can't help you with this one, it is up to you to learn of these problems and install appropriate fixes.

Finally, remember that the hackers know of these limitations too, and so they concentrate their attacks in those areas.

Choice of Firewall

Any firewall which blocks traffic at the NDIS layer may be incompatible with NAT32.

The Windows Firewall works with NAT32, but note that it does not block unwanted outgoing traffic, thus leaving you susceptible to malware that sends personal information out to the Internet.

The free Zone Labs product works with NAT32 when used in its "medium security" mode, the full version works in all modes.

The BlackIce Defender firewall also works with NAT32, but as no evaluation version is available, I can't comment on its functionality. It seems to intercept only Winsock traffic, and therefore does not see NAT32's traffic (which is sent and received via the WinPkFilter driver).

NAT32 Stealth Mode

Whenever an external computer tries to contact your machine at some given port number, the Host Requirements RFC states that an ICMP Destination Unreachable, Port Unreachable packet should be sent back to that computer if no application is listening at the requested port. Unfortunately, hackers use Port Scanning software to contact your machine and then determine exactly which ports are responding and which aren't. They use the ICMP response to quickly move from one port to the next. If no such response is sent, their Port Scanners need to timeout for each port tested, and this considerably lengthens the time taken for a complete scan to be completed.

NAT32 therefore has a command which turns the transmission of such ICMP responses on or off:

stealth [on|off]

The default is off but this will usually be overridden in file startup.
 

[How-To Index]