HP3000-L Archives

January 2001, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: My PC is on the Internet!
From:
"Emerson, Tom # El Monte" <[log in to unmask]>
Reply To:
Emerson, Tom # El Monte
Date:
Thu, 4 Jan 2001 19:40:28 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (182 lines) 
> -----Original Message-----
> From: [log in to unmask] [mailto:[log in to unmask]]
>
> X-no-Archive:yes
> Thanks for the various replies. [...] Tom Ericson was on the right track
[...]

(Err, that's "Emerson", not "Ericson", but then, I think we have an Ericson
who replies as well -- if that was who you are referring to, then
"nevermind..." ;) )

> Granted, this is a Windows PC, so would not normally support
> telnet or ftp.
> Although I do have an ftp server running on another box on my LAN, but
> didn't think that this would be visible via Windows Internet
> Connection Sharing (ICS).

Generally, no -- ICS is also known as "NAT" or Network Address Translation
in the Unix world.  PC's on the internal [protected] network should have
numbers of the form 192.168.xx.yy (or 10.aa.bb.cc).  "by definition", these
IP addresses are "non-routable", meaning that you should not be able to "get
to" one of these addresses from a "normal" IP address.

When you use NAT/ICS, the computer doing the translation really has two
addresses: one internal and the other as supplied by your ISP [meaning it
could be assigned via DHCP]  Any traffic on the "internal" network that has
an "external" destination is re-written by the NAT/ICS computer "as if" that
computer were requesting the data in the first place.  When the response
comes back from "the internet", the process is repeated in the other
direction -- the original request is looked up by the NAT computer and the
response is re-sent to the originating computer.

From the outside, however, a request for the computer assigned to
"192.168.1.2" (for instance) would never "find" that destination (unless
someone's router was broken OR you have a "192.168.1" network defined within
your company...)

Since I haven't looked into ICS yet, I don't know if it will do this, but
many firewall products that do NAT also have the ability to selectively
"punch holes" through the firewall.  For example, let's say your "internal"
FTP server is at address 192.168.35.10, and your IP address assigned to your
24x7 cable/DSL service was 210.211.212.213.  Although the actual computer
attached to the cable/DSL modem is a windows computer and does NOT supply
the FTP "service", you could configure the software to "pass any request for
port 21 to 192.168.35.10" [service "21" being the FTP service]  From the
"outside", I would instruct my FTP client to use address 210.211.212.213,
the NAT/ICS computer would receive it, perform the "nat" operation in
reverse, and request a connection to 192.168.35.10 on MY behalf.

> And does ICS also give me one more way to get  hacked?

Considering Microsoft's track record, I wouldn't be surprised if it did...

> know about the Personal Web Server, which I do not run and cannot see
> needing to run. But then, if I did, what would be the
> advantage to me, and
> what are the known risks?

The primary advantage is that you are no longer "limited" by your ISP as to
quantity of content.  [nor, in theory, content of that content, but that's
another matter]  The downside, of course, is that you ARE limited by your
outbound bandwidth [since most DSL services are Adsl, it's quite likely the
"outbound" rate is half or less of the "inbound" rate...]

The known risks are the same as running any web server [in addition to the
risks of running PWS specifically, as opposed to say Apache...]

> More importantly, what about smb?
> Not running file
> and print sharing sort of defeats the purpose of having a LAN

I believe you can selectively enable/disable which PROTOCOLS can be used for
SMB traffic -- this is, at least, a step in the right direction by Microsoft
-- essentially, you need to DISABLE file/print sharing OVER TCP/IP.  This
also implies you need to ENABLE some other "protocol" for file/print sharing
(namely, NETBuei, although IPX is also an option)

> with Windows
> boxes. I guess that's a good example of exactly the kind of
> risk / benefit
> question I am asking.

As has been mentioned, there are newsgroups, chats, e-mail servers, and
scads of webpages on the subject  [I suspect by now there might even be a
community college course or two...]

> And what are the other known risks that might not be known to
> me? Since I am
> vulnerable to port scanning, what might someone near or far
> see, and what
> kind of fun might they have once they've seen it? I would
> like to think that
> all other things being equal, script kiddies will just keep
> moving, after
> they've scanned my PC. But for all I know, my PC could easily
> be what the
> janitor drives in Tom's Mary Kay analogy. Even with a
> presumably secure
> password on a Windows share, there are probably scripts to
> just keep trying,
> right?

Ummm, "yes"?  well, I did bring it up -- realistically, with the number of
boxes out there, it's quite likely yours doesn't present anything "tasty"
for the would be hacker to sink his teeth into, however just having a 24x7
"high" bandwidth connection might be enough -- remember a few months back
when some major web sites were brought down due to "dDOS" attacks?
Thousands of computers, running on a known and easily compromised OS, with a
high-bandwidth "always on" connection, need only devote 1 or 2% of that
"bandwidth" to an attack -- the owner of said computer(s) would never know
they were participating...

> I will point out that I would think that with dial up, the
> script kiddies do
> not have the advantage of probing my system, and finding new
> ways to hack
> into any vulnerabilities they might have found previously,
> and coming back
> to the same IP address.

You would be wrong in that assumption.  First of all, with a "dial up"
connection from a home PC, you generally always call the same number.  This
goes to a "POP", or Point-Of-Presence, within the phone company.  At some
point along the line this eventually gets to a modem that is attached to a
network, and THAT particular modem has a fixed IP address [assigned/owned by
the ISP]  Depending upon your location, number of callers, etc., it is quite
likely you'll "hit" the same modem time-after-time when you dial up.  If
not, you'll be attached to a range of well-known [to the intruders] IP
addresses, so while they may or may not know "your" address, they know
you'll hit one of a handful, and that's easy to watch for.

Secondly, if they managed to "hack" your system in the first place, they
might place a "homing beacon" of some sort -- a piece of software that, once
you connect, sends a single message to THEIR server which not only indicates
"you are up", but obviously has your CURRENT IP address for this session...

[aside: another way people can "watch for" you to return is to scan internet
newsgroups, especially if they can or did monitor traffic in and out of your
box in the past -- by knowing which groups you frequent, they could watch
for you to post a message in one of those groups -- if you scan the
"headers", you'll see your own IP address conveniently provided (most often
"conveniently" provided by your ISP, even if you had "special" software that
posted bogus info)  Failing that, they could put up an enticing web page and
watch for you to hit it -- they'll obviously have a "return trip" IP address
to "check out"...  Long story short: it's quite easy for a dedicated hacker
to "find" you once you return]

> Maybe this is not a realistic concern
> with always-on
> connections. But I am going to start monitoring my IP address for my
> always-on connection to see how often it changes, since I
> never shut off my
> PC simply because it is unattended (trying to keep from
> falling too far on
> my Seti@home scores). My lease expired two days ago, but I
> still have the
> same IP address. I understand this to be normal enough for
> DHCP, to be able
> to renew an expired lease.

This would imply you have a dynamically assigned IP address, meaning you
applied for service within the last several months [when the service was
first offered, in many areas, you would be given the "holy grail" of the
internet: a FIXED IP address!  Nowadays, most ISP's reserve the "fixed"
addresses for those that are willing to pay a "premium" for "business"
service...]

> Sometime I would like to buy one of the connection-sharing /
> firewall /
> speed-sensing switches. It's on my list of nice things to
> spend between one
> to two hundred dollars on, when I have the money to spend. I
> also want to
> purchase the connection hardware that I currently just
> lease... Off-list
> recommendations for and reviews of such devices are still
> welcome, since I'm
> far from deciding on such a purchase.

Post that question to comp.sys.dcom.xdsl and you'll get a slew of responses
:)

ATOM RSS1 RSS2