Can Software firewall protect against worms such as sasser?

[RebateMonger]

Call me old fashioned, but I'll stick my neck out here and state that simply having NAT turned on, and NO ports being forwarded, is actually a pretty good defense against worms.

Yes, I've had respected security gurus tell me that NAT is NOT a firewall. OK. I'll agree with that. But a simple NAT router, even today, appears to be plenty to stop those nasty worms floating around on the Internet. It's tough to attack a port if that port isn't connected to anything (i.e. no Port Forwarding enabled on the router).

Yes, there are some attacks that can get to a NAT router (like SYN flooding). But those aren't your typical worm attack methods. They're more of a DDOS attack technique. And it's tough to find even the simplest router that doesn't include Stateful Packet Inspection, that will protect against many of these kind of attacks.

 

[Dravic]

Originally posted by: RebateMonger

Originally posted by: Dravic
And as for the comment earlier by someone that the ISP?s are filtering out this content.. That is also not true, and I hope it wasn?t the ISP that told you that. They may block in bound connection from personal servers being set up on common ports (mail 25, web 80) but there is entirely too much valid traffic on those ports to block outright.]

You can find the list of inbound ports blocked by Cox Cable (a major ISP) on this page (do a Search Support for the term "ports blocked") Note that they block inbound TCP Port 445, which is used by Sasser. Except for Port 25 and 80, Cox blocks these same ports for Business HSI, also.

Ports blocked by Cox Home (and, mostly blocked by Cox Business, too)
25 TCP SMTP Both* SMTP Relays
80 TCP HTTP Inbound Web servers, worms
135 UDP NetBios Both Net Send Spam/Pop-ups, Worms
136-139 UDP, TCP NetBios Both Worms, Network Neighborhood
445 TCP MS-DS/ NetBios Both Worms, Network Neighhood
1433 TCP MS-SQL Inbound Worms, Trojans
1434 UDP MS-SQL Inbound Worms, SQLslammer
1900 UDP MS-DS/ NetBios Both Worms, Network Neighborhood
TCP Subseven Both SubSeven Trojan

Here's a list of ports blocked by Adelphia, another major ISP. The list includes TCP 445.
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931
4444/tcp filtered krb524
5554/tcp filtered unknown
9996/tcp filtered unknown
27374/tcp filtered subseven

This recent UseNet post claims that Comcast is blocking inbound TCP Ports 135-139 and 445, at a minimum.
Another reference says that Comcast blocks:
67, 68, 135, 137, 138, 139, 445, 512, 520, and 1080

And, no, I wouldn't rely on port ISP blocking to protect my network.

my comment still stands, the blocking is only happening inbound. I only mentioned ports 25 and 80 as the obvious ones, but i was still talking about all the common ports that have been a source of worm infection and spreading. Most notably on all your list ports 135-139 and 445 along with a few extra ports unique to problems they have had on their own networks. I'm willing to bet traffic on these MS ports is still floating around between hosts on their subscriber network.

 

[spidey07]

Originally posted by: Dravic
my comment still stands, the blocking is only happening inbound. I only mentioned ports 25 and 80 as the obvious ones, but i was still talking about all the common ports that have been a source of worm infection and spreading. Most notably on all your list ports 135-139 and 445 along with a few extra ports unique to problems they have had on their own networks. I'm willing to bet traffic on these MS ports is still floating around between hosts on their subscriber network.

It's common practice to block the MS ports between subscribers with most ISPs will do so at the distribution layer, and many times the access layer. Depends on the ISP though and their policies.

 

[skyking]

Originally posted by: RebateMonger
Call me old fashioned, but I'll stick my neck out here and state that simply having NAT turned on, and NO ports being forwarded, is actually a pretty good defense against worms.

Yes, I've had respected security gurus tell me that NAT is NOT a firewall. OK. I'll agree with that. But a simple NAT router, even today, appears to be plenty to stop those nasty worms floating around on the Internet. It's tough to attack a port if that port isn't connected to anything (i.e. no Port Forwarding enabled on the router).

Yes, there are some attacks that can get to a NAT router (like SYN flooding). But those aren't your typical worm attack methods. They're more of a DDOS attack technique. And it's tough to find even the simplest router that doesn't include Stateful Packet Inspection, that will protect against many of these kind of attacks.

That description works fine for me.

 

[blemoine]

if your common SOHO NAT router is so secure then why are we spending all of this money on Firewalls, IPS's, Gateway Antivirus's and things like this.

you know what they say "if its too good to be true it probably is"

 

[RebateMonger]

Originally posted by: blemoine
if your common SOHO NAT router is so secure then why are we spending all of this money on Firewalls, IPS's, Gateway Antivirus's and things like this.

you know what they say "if its too good to be true it probably is"

A key difference is open (forwarded) ports. A SOHO NAT router, by default, has NO open (forwarded) ports. As soon as you start allowing traffic into a network (forwarding various ports to PCs inside the network), you have to start worrying about scanning the inbound traffic, monitoring for various attacks, etc.

 

[spidey07]

Originally posted by: blemoine
if your common SOHO NAT router is so secure then why are we spending all of this money on Firewalls, IPS's, Gateway Antivirus's and things like this.

you know what they say "if its too good to be true it probably is"

I don't understand your question?

NAT is just one of many security tools used. There is no magic technology that protects against all threats.

 

[JackMDS]

Originally posted by: spidey07
I don't understand your question?

That is because you have an ??apparent disability??, you actually understand the technology :thumbsup:while others are playing with words.:thumbsdown:

blemoine.

If I give you $1, you can say: "Jack Gave me money"

If I give you $1000, you can say: "Jack Gave me money"

The fact that you are using the exact same phrases in the two occasions does not means that $1=$1000.

You are doing similar use with the word security.

:sun:

 

[Lemon law]

Sorry, I just have to conclude that this thread is totally lame---shedding much heat but no light.

There is a famious quote from J.J. Thombson featured in various Holiday and Resnick physics books---to the effect that if you can not put a reliable number on something you know nothing about it..

But I very much suspect that if $1.00 equals no internet security and $1,000 dollars equals complete security---NAT security is worth about $1.50--and maybe a whole three bucks with stateful packet inspection. A lame one way firewall like the SP2 one is maybe worth $15.00---with a better two way configerable firewall maybe worth $40.00.

I also doubt that many layers plus a security aware computer User will ever get us up to even $500.00---as we may all painfully find out in the future. The malware writer is always a step ahead.

But even a reliable numerical comparison of a software firewall vs. Nat might make some progress on this thread.---past just gut guesses.

I will be the first to admit my numbers are based on nothing---do any have more reliable numbers?---and the data to back them up?

 

[JackMDS]

Originally posted by: Lemon law
Sorry, I just have to conclude that this thread is totally lame---shedding much heat but no light.

This very true not just for this thread but for many other threads as well.

Most Network issues are multifaceted, and unless you define all (or at least) most of the Variables there is no real answer.

Like the most prevalent posting in the last few months: ?What is the best Wireless Router that can be used by a house full of users?.

Later On in such a Thread you are told that: ?Take into consideration that there is 30 users, and 20 of them using BT 24/7?.

And oh yeah the connection is 1.5Mb/sec. DSL. and the Router has to cost less than $50.
------------------------------

Back to this thread.

The original question was: ?Can Software firewall protect against worms such as sasser?"

The answer probably Not.

Why probably, because you can set a system with specially designed means, and software that would protect you from sasser per-se.

Then in the body of the post, the OP made the statement: ?I was thinking that most people use a router rather than ICS due to NAT to protect us against worms?.

Hmm.. When I saw this statement, I emotionally vacillated between laughing and crying.

I guess that the rest of the serious participant (depending on where they are coming from) tried to present their perspective of the issue as it reflects on their systems.

:sun:

 

[sumyungai]

Another reason why I created this thread was that I was in a predicament recently. My friend's router went bad due to high traffic from bittorent. He's in a financial rut and therefore, cannot afford to spend $200 on a commercial grade router or has a spare computer to run m0n0wall on. My temporary fix for him was to use ICS connected to a switch to network the rest of his computers together. Now he doesn't have to worry about any overheating routers due to high traffic, and the only thing I can think of that would be an issue in this situation since he already has software firewall and anti-virus running would be infection from future sasser type worms.

I hope this clarifies things a bit.