If you follow these steps outlined by SANS you should be able to
successfully update
and NOT get infected. This is short, easy, fully documented (with
pictures 
http://www.sans.org/rr/papers/index.php?id=1298
Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
kill -13 111.2
The risk is smaller, but still exists if you follow these directions
for XP pre-SP2. See the Microsoft release notes for XP SP2 for details
about the fix.
If you do not have XP SP2, you need to disconnect your computer from the
network prior to every boot cycle until it is fully patched.
A much simpler mechanism than that described by SANS is to have a small, cheap NAT box in your bag (e.g. D-Link DI-604 or similar). Worth the $50 cost to have one available. Put the little router between the new machine to be brought up and whatever network you have access to. Now you can bring up the new machine and update it without having it get instantly infected. (Use some common sense... don't set up email until the machine is patched, or use any other sort of mechanism to pull in potential viruses before patching is done).
(To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
(To deflect the inevitable "NAT is not a firewall" complaints, the box
is a
stateful inspection firewall -- as all NAT boxes actually are).
Hmmm, are you saying that the solution to many so-called
Internet security vulnerabilities is for people to
use an SI Firewall, aka Simple, Inexpensive Firewall,
aka Stateful Inspection Firewall?
One wonders why the DSL/cable router manufacturers
haven't caught on to this idea before now.
If the goal is to actually change people's
behavior and get them to secure their own computers
then a name change like SI Firewall is actually an
important tool. There is a lot of bad press out there
for NAT and I wouldn't be surprised if a lot of the
amateur technicians of the world are advising their
clueless friends not to use it. But if ISPs would
promote the use of an SI Firewall (Simple, Inexpensive
Firewall) to their customers then perhaps we can get
more uptake and an overall improvement in security
without fussing around with frenzied patching sessions.
--Michael Dillon
> (To deflect the inevitable "NAT is not a firewall" complaints, the box
is a
> stateful inspection firewall -- as all NAT boxes actually are).Hmmm, are you saying that the solution to many so-called
Internet security vulnerabilities is for people to
use an SI Firewall, aka Simple, Inexpensive Firewall,
aka Stateful Inspection Firewall?
Its not a real solution, its just goes long way to reduce number of infections
and how quickly some worms can spread (although NAT would have no efffect
on spread of viruses by email so human factor is primary problem).
One wonders why the DSL/cable router manufacturers
haven't caught on to this idea before now.
Its not manufacturers who did not caught up (in fact they did and offer
very inexpensive personal dsl routers goes all the way to $20 range), its
DSL providers who still offer free dsl modem (device at least twice more
expensive then router) and free network card and complex and instructions
on how to set this all up on each different type of pc. No clue at all
that it would be only very marginally more expensive for them to integrate
features of such small nat router into dsl modem and instead of offering
PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler
for many of those lusers with only light computer skills to set this all up.
Its not manufacturers who did not caught up (in fact they did and offer
very inexpensive personal dsl routers goes all the way to $20 range), its
DSL providers who still offer free dsl modem (device at least twice more
expensive then router) and free network card and complex and instructions
on how to set this all up on each different type of pc. No clue at all
that it would be only very marginally more expensive for them to integrate
features of such small nat router into dsl modem and instead of offering
PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler
for many of those lusers with only light computer skills to set this all up.
Agreed,
  We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. We don't use an Integrated modem/router because most of them are junk.
You won't find a single Windows/Linux/Mac machine directly connected to our DSL network. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Couple that with 3 levels of virus scanning on our mail server has reduced the effects of virus and worm spread inside the networks we control. We still get viruses & worms to hit but it is at a more manageable rate. We are not a large provider by any means but I try my hardest to provide a solid network and protect the Internet from my users as much as possible. If only the users would not shop solely on price I would be all set 
-Matt
"william(at)elan.net" <william@elan.net> writes:
> Hmmm, are you saying that the solution to many so-called
> Internet security vulnerabilities is for people to
> use an SI Firewall, aka Simple, Inexpensive Firewall,
> aka Stateful Inspection Firewall?Its not a real solution, its just goes long way to reduce number of
infections and how quickly some worms can spread (although NAT would
have no efffect on spread of viruses by email so human factor is
primary problem).
Note that Michael said "many", not "any and all". We do not tell
people that washing your hands after using the bathroom and before
handling food is "not a real solution" because it only protects
against the spread of certain kinds of illnesses.
                                        ---rob
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by
last worms to 0. Just 0.0000%.
O course, it does not protects very well from intentional attacks, and do
not protect against e-mail bombs and
java script exploints.
In reality, having WIN2K after NAT box 100% time connected to internet is
safer, than to have Windows with all patches
installed every day, directly connected. Reason is simple:
- when system after Win2K do not initiate internet connections, it is 100%
safe;
- when such system initiates internet connections, it expose only
client-side ports and is not volnurable to any scans etc;
So, I agree - NAT box is the very first _mandatiory_ thing at home; all
other (fiorewaall etc) are not necessary fro most homehouses at all (but
antiviruses are, if you have e-mail or use web).
> > (To deflect the inevitable "NAT is not a firewall" complaints, the box
> is a
> > stateful inspection firewall -- as all NAT boxes actually are).
>
> Hmmm, are you saying that the solution to many so-called
> Internet security vulnerabilities is for people to
> use an SI Firewall, aka Simple, Inexpensive Firewall,
> aka Stateful Inspection Firewall?Its not a real solution, its just goes long way to reduce number of
infections
and how quickly some worms can spread (although NAT would have no efffect
on spread of viruses by email so human factor is primary problem).> One wonders why the DSL/cable router manufacturers
> haven't caught on to this idea before now.Its not manufacturers who did not caught up (in fact they did and offer
very inexpensive personal dsl routers goes all the way to $20 range), its
DSL providers who still offer free dsl modem (device at least twice more
expensive then router) and free network card and complex and instructions
on how to set this all up on each different type of pc. No clue at all
that it would be only very marginally more expensive for them to integrate
features of such small nat router into dsl modem and instead of offering
PPPoverEthernet it could just offer NAT and DHCP and make it so much
simpler
for many of those lusers with only light computer skills to set this all
up.
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by
last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P
program without having to reconfigure NAT port mappings, so they have
all inbound connections mapped to a static internal IP. When the worms
come knocking, the connections go right through and the static IP system
gets infected, which then infects the Mom's computer, etc.; then you
have 2+ times as much worm traffic sourced from that single public IP
because there are multiple computers scanning.
NAT does help if you just put necessary port mappings in place (and only
for "secure" protocols).
** Reply to message from Chris Adams <cmadams@hiwaay.net> on Fri, 7 May
2004 09:45:36 -0500
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
> Any simple NAT (PNAT, to be correct) box decrease a chance of infection by
> last worms to 0. Just 0.0000%.The problem is that Joe User (or his kid) wants to run some random P2P
program without having to reconfigure NAT port mappings, so they have
all inbound connections mapped to a static internal IP. When the worms
come knocking, the connections go right through and the static IP system
gets infected, which then infects the Mom's computer, etc.; then you
have 2+ times as much worm traffic sourced from that single public IP
because there are multiple computers scanning.
If Joe (L)User or his kid sets up his NAT that way... well, quite
honestly he gets what he deserves. Protecting against active,
deliberate stupidty is probably more than my job description coveres. I
do get paid to clean up the mess afterwards however. And in at least
one case I have set it up for a customer that they are behind a NAT
that they can't reconfigure - 3 strikes and I was out of patience.
But I suggest that in my experience the above sort of thing is
relatively rare.
NAT does help if you just put necessary port mappings in place (and only
for "secure" protocols).
I don't know about that last part - do you consider http and ftp to be
secure protocols?
Nothing (except a good spanking -:)) can help in such case. We are not
talking about static NAT and inbound connections.
I told about dynamic PNAT _only_.
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
> Any simple NAT (PNAT, to be correct) box decrease a chance of infection
by