rec.autos.simulators

by **Schum** » Sun, 25 Nov 2001 17:53:26

Hi Don,

Its not that you router will not have enough "flexibility" per-se as the
issue is how many ports you can have "mapped" based on a small amount of
memory those routers contain. Meaning... you are basically running a
mini-DHCP server on those routers. That DHCP capability requires memory (to
hold the algorithms to even perform such a task) as well as memory for
holding the "customizations" you desire. Those customizations traditionally
are "Port Mapping Tables".

If you play only a couple of games, that use limited ports, you'll be fine.
However, if your games/apps require a large number of ports (and port
ranges)... you'll reach a critical plateau of what you can do... since you
are now limited int he total number of ports you can map.

This plateau is the sole reason why the DMZ (short for DeMilitarized Zone)
concept exists on those routers. The concept is simple... we have limited
memory to house/store the port mapping tables... so we assign a small
portion of the memory for a "master rule" which basically tells the router
"If it isn't in the port mapping table... forward it to the DMZ for
processing/handling".

However, this can have grave security issues... since the DMZ is a "High
Level Rule" that basically renders your "NAT firewall properties" null &
Void. The reason behind this is simple.... your NAT "Firewall" isn't really
a firewall at all. In fact... all it does is rely on the fundamentals of how
a hacker would enter your system.

Meaning:

For a person to enter your system.. he needs to be "let in". This means he
has to first find a "Port" that is open. If the port is open, and there is a
process handling/listening for requests on that port... it will send back a
"return handshake". After the handshake is established... the hacker can
pass data to the process that is listening (he now has a process that is
willing to listen to him), and if the hacker knows a specific vulnerability
in that particular process... he can exploit the system.

So... all the NAT is doing is basically not replying, unless it is in the
port mapping table. No reply = no entry possibilities. The funnier thing
is... your computer already functions this way!

This is also why I find it somewhat comical that Zone Alarm even tells

known to scan certain ports on its own customers to ensure that they are not
hosting servers (like FTP servers) which is a violation of their Licensing
Agreement. You can scan a computer until the cows come home, and even pound
on the door as hard as possible (regardless of OS)... it has no effect
unless something on your puter REPLIES, and then (only then) the hacker must
now hope that the replying program has a vulnerability that he is aware of.

All Zone Alarm does is rely on the ignorance of its users to form a false
sense of security and need. I mean... how many times in here have I heard
guys say "Oh thank goodness I have Zone Alarm... I had 50 attempts to get
into my system just last week... Zone Alarm told me so!". It is simply
purposely invoked hysteria by Zone Alarm to try to up their value/need in
the end user's eyes. Zone Alarm is about as useful as an Ice Salesman at the
North Pole. If you have given Zone Alarm permission to allow programs to
listen on ports, and those programs have vulnerabilities.... Zone Alarm is
100% useless.

Think about it... you give access to ICQ to listen on ports (because Zone
Alarm prompted you, identified it as ICQ as the requesting program to open
the port for, and you said YES)... Say now that ICQ has a vulnerability...
THAT is where the hacker attacks... the PROGRAM. Its the same thing with
email... you open ports 25 and 110 for email. After that.. anything that
comes through those ports is allowed (directed to email prog), if the email
prog has a vulnerability... Zone Alarm is useless... and the attacker gets
in.

Basically, a hacker can beat on the door all day long, and not get anywhere,
since he is not getting a "return handshake" since nothing is listening on
that port. COMPUTERS are not vulnerable to attack... PROCESSES/PROGRAMS are.

So... knowing this.. the moment you set up a DMZ (because of the memory
limitations inherit in 99% of the Home Based Routers on the market)... is
the moment that you tell the router to "ship it off to the afore-told
computer for processing" (or lack thereof). This is also why it is called a
"DeMilitarized Zone"... since that is exactly the effect it has on
security.... it is a security detour of sorts.

This is why I all hardware home routers "limited". They don't really do
much, except allow basic functionability. A software proxy on another
machine is far more robust, and still posesses all of the security features
(and more) than hardware routers.

Cheers,
Schumi

> >Do you mean "NAT Routers". Like Linksys, etc.?

> >If so... they have limited memory capabilities, so mapping ports will
reach
> >a maximum. Which is something to be concerned about if you play more than
1
> >game on different ports, or the game uses a broad-spectrum port range.

> >The only alternative left with many of them is to assign your Gamebox as
the
> >DMZ... which basically forwards all ports not listed in the Port Mapping
> >table to your gamebox... which in turn means that your NAT security
(which
> >is of little consolation) is null & void.

> >But we may be talking about different things.

> Hey Jason. Glad we're on this subject. I just bought a D-Link DI-704(combo
> switch,router,NAT firewall)to network two home computers. I have yet to
get the

day
> figure it out, it seems highly configurable. Your suggesting it won't have
> enough flexability? Whats the way to go without buying additional IP
address?

> --
> Don Scurlock
> Vancouver,B.C.

> GPLRank -15.27
> MonsterRank 91.34

> Come see how you rank, at the GPLRank site
> http://www.racesimcentral.net/

by **Schum** » Sun, 25 Nov 2001 18:01:02

The router is basically just not replying to the requester. Your computer
does the exact same thing mate... even without a firewall prog installed.

I wouldn't use Zone Alarm's "outside access request!" as a gauge for
"hackers". It simply isn't correct. You are no more/less safe behind that
router mate... trust me on this. In fact... I lean towards the "less safe"
side of the stick, if you have been lulled into a false sense of security
and removed your virus/firewall progs..

That router doesn't have a firewall... it simply relies on the fundamentals
of NAT and Proxy logistics/protocol. The moment you forward a port on that
router, is the moment those alerts will come back...

In most cases it (request) is a *wild* virus on the net, and it is looking
for certain programs on certain ports, with certain vulnerabilities in those
certain programs. Doesn't mean that had you not had that firewall/router up
and running, that you'd be infected/compromised.

Not an attack or condescending in intent... just don't reply on that router
to protect you under certain circumstances, or ANY firewall prog for that
matter.

Cheers,
Schumi

by **Tim** » Sun, 25 Nov 2001 23:12:50

[snip]

No problem... From what you and Todd are saying though, the concerns
really seem more trojan related than anything. To me, that says "know
what you're downloading" more than it says make sure you have your
system secured from the outside.

Tim

by **imaswinge** » Mon, 26 Nov 2001 01:11:49

I use a 5 port hub right now, since I get an ip everytime I plug a computer
in (I have ethernet right to wall where I live). I have a Linux server
running DMS and Web (and hopefully mail one day if I can get it to work :-),
and then 3 windows boxes behind it. Except right now, they're not 'behind'
it, they're all side by side, if that makes any sense. I was going to get a
second nic and setup my linux box as the frontal computer and as a router
and 'hide' my other computers behind it. Then I heard that people are
buying routers that seem to do this for you.
But it seems as though you're saying the linux router/firewall is the better
way to go...
So, in my situation it makes more sense to buy a nic and spend a weekend
setting it up, rather than get a router, right? And last question, will I
see an increase in puter-puter performance between my windows boxes since
I'm not getting all the 'noise' traffic of the rest of the people in my
building? or would that only be with a router/switch (hardware)?
thanx,
Curtis

> Hi Don,

> Its not that you router will not have enough "flexibility" per-se as the
> issue is how many ports you can have "mapped" based on a small amount of
> memory those routers contain. Meaning... you are basically running a
> mini-DHCP server on those routers. That DHCP capability requires memory
(to
> hold the algorithms to even perform such a task) as well as memory for
> holding the "customizations" you desire. Those customizations
traditionally
> are "Port Mapping Tables".

> If you play only a couple of games, that use limited ports, you'll be
fine.
> However, if your games/apps require a large number of ports (and port
> ranges)... you'll reach a critical plateau of what you can do... since you
> are now limited int he total number of ports you can map.

> This plateau is the sole reason why the DMZ (short for DeMilitarized Zone)
> concept exists on those routers. The concept is simple... we have limited
> memory to house/store the port mapping tables... so we assign a small
> portion of the memory for a "master rule" which basically tells the router
> "If it isn't in the port mapping table... forward it to the DMZ for
> processing/handling".

> However, this can have grave security issues... since the DMZ is a "High
> Level Rule" that basically renders your "NAT firewall properties" null &
> Void. The reason behind this is simple.... your NAT "Firewall" isn't
really
> a firewall at all. In fact... all it does is rely on the fundamentals of
how
> a hacker would enter your system.

> Meaning:

> For a person to enter your system.. he needs to be "let in". This means he
> has to first find a "Port" that is open. If the port is open, and there is
a
> process handling/listening for requests on that port... it will send back
a
> "return handshake". After the handshake is established... the hacker can
> pass data to the process that is listening (he now has a process that is
> willing to listen to him), and if the hacker knows a specific
vulnerability
> in that particular process... he can exploit the system.

> So... all the NAT is doing is basically not replying, unless it is in the
> port mapping table. No reply = no entry possibilities. The funnier thing
> is... your computer already functions this way!

> This is also why I find it somewhat comical that Zone Alarm even tells

is
> known to scan certain ports on its own customers to ensure that they are
not
> hosting servers (like FTP servers) which is a violation of their Licensing
> Agreement. You can scan a computer until the cows come home, and even
pound
> on the door as hard as possible (regardless of OS)... it has no effect
> unless something on your puter REPLIES, and then (only then) the hacker
must
> now hope that the replying program has a vulnerability that he is aware
of.

> All Zone Alarm does is rely on the ignorance of its users to form a false
> sense of security and need. I mean... how many times in here have I heard
> guys say "Oh thank goodness I have Zone Alarm... I had 50 attempts to get
> into my system just last week... Zone Alarm told me so!". It is simply
> purposely invoked hysteria by Zone Alarm to try to up their value/need in
> the end user's eyes. Zone Alarm is about as useful as an Ice Salesman at
the
> North Pole. If you have given Zone Alarm permission to allow programs to
> listen on ports, and those programs have vulnerabilities.... Zone Alarm is
> 100% useless.

> Think about it... you give access to ICQ to listen on ports (because Zone
> Alarm prompted you, identified it as ICQ as the requesting program to open
> the port for, and you said YES)... Say now that ICQ has a vulnerability...
> THAT is where the hacker attacks... the PROGRAM. Its the same thing with
> email... you open ports 25 and 110 for email. After that.. anything that
> comes through those ports is allowed (directed to email prog), if the
email
> prog has a vulnerability... Zone Alarm is useless... and the attacker gets
> in.

> Basically, a hacker can beat on the door all day long, and not get
anywhere,
> since he is not getting a "return handshake" since nothing is listening on
> that port. COMPUTERS are not vulnerable to attack... PROCESSES/PROGRAMS
are.

> So... knowing this.. the moment you set up a DMZ (because of the memory
> limitations inherit in 99% of the Home Based Routers on the market)... is
> the moment that you tell the router to "ship it off to the afore-told
> computer for processing" (or lack thereof). This is also why it is called
a
> "DeMilitarized Zone"... since that is exactly the effect it has on
> security.... it is a security detour of sorts.

> This is why I all hardware home routers "limited". They don't really do
> much, except allow basic functionability. A software proxy on another
> machine is far more robust, and still posesses all of the security
features
> (and more) than hardware routers.

> Cheers,
> Schumi

> > >Do you mean "NAT Routers". Like Linksys, etc.?

> > >If so... they have limited memory capabilities, so mapping ports will
> reach
> > >a maximum. Which is something to be concerned about if you play more
than
> 1
> > >game on different ports, or the game uses a broad-spectrum port range.

> > >The only alternative left with many of them is to assign your Gamebox
as
> the
> > >DMZ... which basically forwards all ports not listed in the Port
Mapping
> > >table to your gamebox... which in turn means that your NAT security
> (which
> > >is of little consolation) is null & void.

> > >But we may be talking about different things.

> > Hey Jason. Glad we're on this subject. I just bought a D-Link
DI-704(combo
> > switch,router,NAT firewall)to network two home computers. I have yet to
> get the

one
> day
> > figure it out, it seems highly configurable. Your suggesting it won't
have
> > enough flexability? Whats the way to go without buying additional IP
> address?

> > --
> > Don Scurlock
> > Vancouver,B.C.

> > GPLRank -15.27
> > MonsterRank 91.34

> > Come see how you rank, at the GPLRank site
> > http://newgplrank.schuerkamp.de/

by **Jens H. Kruus** » Mon, 26 Nov 2001 07:26:54

And an excellent FAQ for Tiny (get a cup of coffee and put more paper in
your printer - it's long):

http://www.tpffaq.com/cgi-bin/faqmanager.cgi

by **imaswinge** » Mon, 26 Nov 2001 10:18:00

uh, my linux server is running DNS, not DMS ;-)

"imaswinger" <imaswinger_nos...@hotmail.com> wrote in message

news:9FPL7.13105$c4.2511718@news0.telusplanet.net...

> I use a 5 port hub right now, since I get an ip everytime I plug a
computer
> in (I have ethernet right to wall where I live). I have a Linux server
> running DMS and Web (and hopefully mail one day if I can get it to work
:-),
> and then 3 windows boxes behind it. Except right now, they're not
'behind'
> it, they're all side by side, if that makes any sense. I was going to get
a
> second nic and setup my linux box as the frontal computer and as a router
> and 'hide' my other computers behind it. Then I heard that people are
> buying routers that seem to do this for you.
> But it seems as though you're saying the linux router/firewall is the
better
> way to go...
> So, in my situation it makes more sense to buy a nic and spend a weekend
> setting it up, rather than get a router, right? And last question, will I
> see an increase in puter-puter performance between my windows boxes since
> I'm not getting all the 'noise' traffic of the rest of the people in my
> building? or would that only be with a router/switch (hardware)?
> thanx,
> Curtis

> "Schumi" <ja...@relaygames.com> wrote in message
> news:aeJL7.62464$Ud.3014369@news1.rdc1.bc.home.com...
> > Hi Don,

> > Its not that you router will not have enough "flexibility" per-se as the
> > issue is how many ports you can have "mapped" based on a small amount of
> > memory those routers contain. Meaning... you are basically running a
> > mini-DHCP server on those routers. That DHCP capability requires memory
> (to
> > hold the algorithms to even perform such a task) as well as memory for
> > holding the "customizations" you desire. Those customizations
> traditionally
> > are "Port Mapping Tables".

> > If you play only a couple of games, that use limited ports, you'll be
> fine.
> > However, if your games/apps require a large number of ports (and port
> > ranges)... you'll reach a critical plateau of what you can do... since
you
> > are now limited int he total number of ports you can map.

> > This plateau is the sole reason why the DMZ (short for DeMilitarized
Zone)
> > concept exists on those routers. The concept is simple... we have
limited
> > memory to house/store the port mapping tables... so we assign a small
> > portion of the memory for a "master rule" which basically tells the
router
> > "If it isn't in the port mapping table... forward it to the DMZ for
> > processing/handling".

> > However, this can have grave security issues... since the DMZ is a "High
> > Level Rule" that basically renders your "NAT firewall properties" null &
> > Void. The reason behind this is simple.... your NAT "Firewall" isn't
> really
> > a firewall at all. In fact... all it does is rely on the fundamentals of
> how
> > a hacker would enter your system.

> > Meaning:

> > For a person to enter your system.. he needs to be "let in". This means
he
> > has to first find a "Port" that is open. If the port is open, and there
is
> a
> > process handling/listening for requests on that port... it will send
back
> a
> > "return handshake". After the handshake is established... the hacker can
> > pass data to the process that is listening (he now has a process that is
> > willing to listen to him), and if the hacker knows a specific
> vulnerability
> > in that particular process... he can exploit the system.

> > So... all the NAT is doing is basically not replying, unless it is in
the
> > port mapping table. No reply = no entry possibilities. The funnier thing
> > is... your computer already functions this way!

> > This is also why I find it somewhat comical that Zone Alarm even tells
> > people about outside requests on ports. I mean... @Home itself (the ISP)
> is
> > known to scan certain ports on its own customers to ensure that they are
> not
> > hosting servers (like FTP servers) which is a violation of their
Licensing
> > Agreement. You can scan a computer until the cows come home, and even
> pound
> > on the door as hard as possible (regardless of OS)... it has no effect
> > unless something on your puter REPLIES, and then (only then) the hacker
> must
> > now hope that the replying program has a vulnerability that he is aware
> of.

> > All Zone Alarm does is rely on the ignorance of its users to form a
false
> > sense of security and need. I mean... how many times in here have I
heard
> > guys say "Oh thank goodness I have Zone Alarm... I had 50 attempts to
get
> > into my system just last week... Zone Alarm told me so!". It is simply
> > purposely invoked hysteria by Zone Alarm to try to up their value/need
in
> > the end user's eyes. Zone Alarm is about as useful as an Ice Salesman at
> the
> > North Pole. If you have given Zone Alarm permission to allow programs to
> > listen on ports, and those programs have vulnerabilities.... Zone Alarm
is
> > 100% useless.

> > Think about it... you give access to ICQ to listen on ports (because
Zone
> > Alarm prompted you, identified it as ICQ as the requesting program to
open
> > the port for, and you said YES)... Say now that ICQ has a
vulnerability...
> > THAT is where the hacker attacks... the PROGRAM. Its the same thing with
> > email... you open ports 25 and 110 for email. After that.. anything that
> > comes through those ports is allowed (directed to email prog), if the
> email
> > prog has a vulnerability... Zone Alarm is useless... and the attacker
gets
> > in.

> > Basically, a hacker can beat on the door all day long, and not get
> anywhere,
> > since he is not getting a "return handshake" since nothing is listening
on
> > that port. COMPUTERS are not vulnerable to attack... PROCESSES/PROGRAMS
> are.

> > So... knowing this.. the moment you set up a DMZ (because of the memory
> > limitations inherit in 99% of the Home Based Routers on the market)...
is
> > the moment that you tell the router to "ship it off to the afore-told
> > computer for processing" (or lack thereof). This is also why it is
called
> a
> > "DeMilitarized Zone"... since that is exactly the effect it has on
> > security.... it is a security detour of sorts.

> > This is why I all hardware home routers "limited". They don't really do
> > much, except allow basic functionability. A software proxy on another
> > machine is far more robust, and still posesses all of the security
> features
> > (and more) than hardware routers.

> > Cheers,
> > Schumi

> > "Don Scurlock" <dscurlocknos...@home.com> wrote in message
> > news:9162BA881dscurlock@news...
> > > ja...@relaygames.com (Schumi) wrote in
> > > <Q5zL7.60870$Ud.2947...@news1.rdc1.bc.home.com>:

> > > >Do you mean "NAT Routers". Like Linksys, etc.?

> > > >If so... they have limited memory capabilities, so mapping ports will
> > reach
> > > >a maximum. Which is something to be concerned about if you play more
> than
> > 1
> > > >game on different ports, or the game uses a broad-spectrum port
range.

> > > >The only alternative left with many of them is to assign your Gamebox
> as
> > the
> > > >DMZ... which basically forwards all ports not listed in the Port
> Mapping
> > > >table to your gamebox... which in turn means that your NAT security
> > (which
> > > >is of little consolation) is null & void.

> > > >But we may be talking about different things.

> > > Hey Jason. Glad we're on this subject. I just bought a D-Link
> DI-704(combo
> > > switch,router,NAT firewall)to network two home computers. I have yet
to
> > get the
> > > fricking thing to work with my @HOme cable connection. But assuming I
> one
> > day
> > > figure it out, it seems highly configurable. Your suggesting it won't
> have
> > > enough flexability? Whats the way to go without buying additional IP
> > address?

> > > --
> > > Don Scurlock
> > > Vancouver,B.C.

> > > GPLRank -15.27
> > > MonsterRank 91.34

> > > Come see how you rank, at the GPLRank site
> > > http://newgplrank.schuerkamp.de/

by **Joakim Lauridse** » Tue, 27 Nov 2001 19:27:59

Yes I was Talking about Tiny, and it means that I use one computer to
connect to my ISP, and connect to the Internet Through that connection via a
Lan network. When I looked into frewalls, Tiny said they didn+t support
that, so i picked ZA at that time. I'm not not satisfied, but I would like
something better.

Joakim

by **Don Jenning** » Wed, 28 Nov 2001 10:25:48

"Joakim Lauridsen" wrote ...

Then let me ask another question, does Tiny protect your main unit and not
protect the 2nd, or does it prevent protection of both?

by **Schum** » Wed, 28 Nov 2001 16:07:04

I would suggest the second NIC on your Linux box... plug the existing one
into the wall... then the second NIC to the hub... match the IPs on all
Windoze puters to the "192.168.0.xxx" subnet, and set the Linux Box's IP as
the gateway for your other machines.

Meaning:

Box 1 (Linux Server) NIC #1: ISP assigned IP -- Plugged into wall
Box 1 (Linux Server) NIC #2: 192.168.0.1 -- Plugged into Hub
Box 2 (Windoze) NIC #1: 192.168.0.2 -- Gateway: 192.168.0.1 -- Plugged into
Hub
Box 3 (Windoze) NIC #1: 192.168.0.3 -- Gateway: 192.168.0.1 -- Plugged into
Hub
Etc.

Then setup the Linux box to Masquerade IPs. This will allow you to pass
through the Linux box (on your Windoze machines), and the ISP will think
that just 1 box is requesting info.

Your Linux box will then allow you infinitely more flexibility and security
than any router out there.

BTW... I ALWAYS suggest a Switch as opposed to a Hub. You can get the home
versions (D-Link has a half decent 8 port one for a nice price). The Switch
will always perform better, and if you tend to use those other computers at
the same time, the Switch is certainly the way to go.