"Disconnect" from Web using DSL

On Sun, 06 Nov 2011 12:59:58 -0500, 98 Guy wrote:

snip
I said that firewall software running on win-98 was useless.

I asked you if KPF running on your win-98 system has ever detected and
stopped malware from making a connection to the internet.

You came back and started talking about your experience with KPF on XP.

You have done nothing to change my opinion that there are simply no
threats to win-98 systems to be found on the web that makes it worth
while to run firewall software.

Hello,

I seem to remember that in another post you indicated that there are
no threats *if* they are behind a NAT router. What are the threats if
they are *not* behind a NAT router? Any that made the news?

Thank you.
Geo

(Posted using Free Agent on Win 3.1)

"GEO" wrote in -
september.org:

I seem to remember that in another post you indicated that there are
no threats *if* they are behind a NAT router. What are the threats if
they are *not* behind a NAT router? Any that made the news?


I doubt the news would tell us if they had. We don't get told the methods
used when govt or banking sites get hacked. But as they usually have to start
with malformed packets to find some crack in the armour, it's safe to assume
that NAT would make it harder, and that DMZ would make it easier. Some people
find network routing hard to do, so many may just set their routers to DMZ
for some machine so it appears to work better online. It's better to do
port forwarding (on unusual high numbered ports) to keep port scanners from
getting easy pickings, but not many people will do this. I bet many govt
sysadmins aren't too savvy at times either.

As port forwarding IS often needed as part of NAT setups, this is why I
strongly recommend a firewall like LnS. By setting a rule for a specific
program, that sets active that port ONLY when that program runs and needs the
port, that port will be as firmly unavailable to a port scanner when the
program isn't running, as if NAT never had it forwarded in the first place.
It's like fencing or boxing, a machine keeps its guard secure except when it
must reach through that guard. Without a good firewall, even with NAT, a
machine is sitting waiting to be hit by a patient invader if there is no way
to open or block ports based on local program needs from moment to moment.
LnS gives that much security, and makes ti so easy we rarely need to think
about it after we set it up.

"\"GEO\" wrote:

I seem to remember that in another post you indicated that there are
no threats *if* they are behind a NAT router. What are the threats if
they are *not* behind a NAT router? Any that made the news?

Here's my experience.

Between July 2000 and December 2005, our office had a dedicated IP
subnet for our connection to the internet. We had an allocation of 64
IP addresses, and each and every computer had it's own routable IP
address. There was no NAT-router in this picture. We had a mix of
computers in the office, about a dozen running win-98, 2 or 3 running
NT4, 3 or 4 running Win-2K (we did not really start running XP in our
office until 2006, and even then only a couple of developer systems).

This was arguably the most vulnerable time to be running win-98, given
that it was still being run on many computers at home and in offices
around the world and therefore was a target for malware writers.

None of our win-98 computers ran firewall software. They did run Norton
Anti-virus, but hardly ever detected anything (what-ever they did detect
came as e-mail attachments).

None of the win-98 computers were "infected" by network worms during
this time, but several of our NT4 and Win-2K computers were.

When you're talking about firewalls and NAT routers, there are two
different aspects to consider: In-bound fire-walling and out-bound
fire-walling. A software firewall running on a computer can perform
both types of protection. A NAT-router is by default an in-bound
firewall only.

So a NAT-router can prevent vulnerable machines from being exposed to
network worms (of which there were about 3 or 4 different worms deployed
by hackers during the time-frame 2000 - 2005). Since we did not have
NAT-routing on our LAN, we were vulnerable to those worms, and like I
said, several of our NT4 and Win-2K machines was hit by some of them.
None of our Win-98 machines were.

All the reading I've done about these worms also indicates that win-98
was not vulnerable to these worms. Hence to answer your question about
running win-98 with no firewall software and no NAT-router, my answer
would be that win-98 has never been vulnerable to any known network
worm, and hence a NAT-router provides *no known* protective benefit for
Windows 98.

That said, every unsolicited packet that hits your computer requires
some CPU processing time for the computer to deal with, so from an
efficiency POV there are advantages in keeping unsolicited packets from
getting past your modem into your local LAN.

And one last thing. Your question is posed as if you have the option
(or the desire) to connect a win-98 machine to the internet without
using a NAT-router. That course of action is highly suspect, or at
least is atypical, because (a) it would be unusual to find a
consumer-grade modem in current use that does not impliment NAT-routing,
and (b) you can only connect one device to the internet if you don't
have (or if you turn off) your modem's NAT funtions - something that
many home and soho situations would find unacceptable. You would not be
able to have wifi, for example, without NAT-routing also being
implimented.

Lostgallifreyan wrote:

What are the threats if they are *not* behind a NAT router?
Any that made the news?

I doubt the news would tell us if they had.

Wrong.

What a bone-head statement.

There are many sources of information and third parties that do nothing
else but perform threat analysis and network reconnaissance and publish
their results on a daily or weekly basis.

They go into great detail to explain the conditions by which newly
discovered threats interact with systems to gain entry and control over
them. They enumerate which operating systems are vulnerable to which
newly-discovered threats (worm, trojan, virus, etc).

We don't get told the methods used when govt or banking
sites get hacked.

Not knowing how any given site or company was comprimized doesn't mean
we (the public) have no knowledge of the agent that was used. If there
are N possible threats that can be used against Bank X, and if there is
public knowledge of how all of these N threats work, then there is no
consequence that Bank X doesn't tell us which of the N threats was used
against it. We (the public) still know how it was done (because we know
*all* the ways it could have been done).

But as they usually have to start with malformed packets
to find some crack in the armour

When it comes to infiltrating something like a bank, a credit-card
processor or major e-commerce site, the method used is almost always
from within - someone on the inside lets the malware enter or plants it
directly.

Some people find network routing hard to do, so many may just
set their routers to DMZ for some machine so it appears to
work better online.

I find that statement highly suspect. The vast majority of
consumer-grade modems are designed to "just work" out of the box, with
the correct settings, to minimize the need for consumers to monkey with
them.

The vast majority of consumers will never need to open any ports.

It's better to do port forwarding to keep port scanners from
getting easy pickings, but not many people will do this.

Contrary to popular believe, the vast majority of consumers do not
partake in bit-torrenting (one of only 2 activities for which
port-forwarding is used, the other being on-line gaming).

As port forwarding IS often needed as part of NAT setups,

WRONG WRONG WRONG.

Why don't you explain what ports the average home or soho user needs to
forward.

this is why I strongly recommend a firewall like LnS.

Your argument is not well founded and hence your advice is unsupported.

Without a good firewall, even with NAT, a machine is sitting waiting
to be hit by a patient invader

Again, that couldn't be further from the truth. Just a complete lie.

In message ,
lid writes:
[]
I seem to remember that in another post you indicated that there are
no threats *if* they are behind a NAT router. What are the threats if
they are *not* behind a NAT router? Any that made the news?

An interesting question - because at the time of the overlap of 98 and
consumer broadband, the default modem for many (including many ISPs) was
the SpeedTouch 330 or clones thereof - USB-powered, looked (in several
of its more popular incarnations) like a large (computer!) mouse. I'm
pretty sure this wasn't NAT. I think there _were_ ways to do "internet
connection sharing" via it, though I never looked into it (don't think I
ever used one).

Thank you.
Geo

(Posted using Free Agent on Win 3.1)

Just kidding, or really?
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

A language is a dialect that has an army and a navy. -Max Weinreich, linguist
and author (1894-1969)

"J. P. Gilliver (John)" wrote:

What are the threats if they are *not* behind a NAT router?

An interesting question - because at the time of the overlap of
98 and consumer broadband, the default modem for many (including
many ISPs) was the SpeedTouch 330 or clones thereof - USB-powered,

I first subscribed to aDSL broadband in the fall of 2001, and my modem
probably was a speedtouch, but most assuredly it (and any modem I've had
since) was always wall-powered and had an ethernet connection (don't
know if the first one also had USB).

I would not expect broadband modems in the 1998 - 2002 era would have
had USB as it's only available interface to a customer computer. There
would have been a lot of confusion about USB-1 vs USB-2 (an issue for
win-95 machines and possibly also for people running win-98 first
edition) as well the added hassle of driver installation.

I agree that the first generation of consumer modems either did not do
NAT, or it was disabled by default. I seem to recall that some ISP's
tried to leverage the modem's ability to do NAT by offering it at
additional monthly cost (perhaps as part of an "internet security
package" or feature).

And I've already answered the question about running win-98 "naked" on
the internet with a directly routable IP address without a firewall. My
experience is that there were no implications or downside to doing it.

Network worms really didn't emerge as a threat until they began hitting
NT4 and Win-2K machines.

In fact, the term "Internet Survival Time" was coined as a measure of
how long it took for a default install of Win-2K to be infected with a
worm before it's owner had a chance to finish downloading and installing
all available patches and updates.

In message , 98 Guy writes:
"J. P. Gilliver (John)" wrote:

What are the threats if they are *not* behind a NAT router?

An interesting question - because at the time of the overlap of
98 and consumer broadband, the default modem for many (including
many ISPs) was the SpeedTouch 330 or clones thereof - USB-powered,

I first subscribed to aDSL broadband in the fall of 2001, and my modem
probably was a speedtouch, but most assuredly it (and any modem I've had
since) was always wall-powered and had an ethernet connection (don't
know if the first one also had USB).

I would not expect broadband modems in the 1998 - 2002 era would have
had USB as it's only available interface to a customer computer. There

Well, I can't date the period, but there definitely was a - fairly
brief, I think - time here in the UK when the default offering from ISPs
_was_ a USB-powered one.

would have been a lot of confusion about USB-1 vs USB-2 (an issue for
win-95 machines and possibly also for people running win-98 first
edition) as well the added hassle of driver installation.

There was. But that was still in the time when you tended to get a CD
from your ISP. ISTR they tended to specify 98SE as the minimum.
[]
And I've already answered the question about running win-98 "naked" on
the internet with a directly routable IP address without a firewall. My
experience is that there were no implications or downside to doing it.

Well, I don't think I ever ran broadband without it, but nasties were
certainly _around_ in dialup days, and I never caught one then (despite
being more the target then): I think just normal sensible computing
practices served. Or maybe I was lucky.

Network worms really didn't emerge as a threat until they began hitting
NT4 and Win-2K machines.

In fact, the term "Internet Survival Time" was coined as a measure of
how long it took for a default install of Win-2K to be infected with a
worm before it's owner had a chance to finish downloading and installing
all available patches and updates.

ISTR claims that it wasn't possible to finish that before infection - I
think that's what you're saying.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

A language is a dialect that has an army and a navy. -Max Weinreich, linguist
and author (1894-1969)