A firewall won't stop this one

Discussion in 'Computer Security' started by NetUser, Nov 1, 2003.



  1. I disagree. Security comes in layers and is built by those that know how
    to build it. Security cannot come "in a box" from some software vendor
    and be implemented "on the fly" by a clueless end-user. *If* a proper
    software firewall is used in conjunction with hardware solutions, IDS
    Systems and properly configured routers, the software firewall will
    effectively block malicious code. On the other hand, the misleading
    marketing tactics of various "zoned" software firewalls and IDS packages
    leave the end-user open to various exploits.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 3, 2003
    #21
    1. Advertisements

  2. NetUser

    Volker Birk Guest

    Ahem... please read again the text above, and tell me, with what
    you disagree.

    VB.
     
    Volker Birk, Nov 3, 2003
    #22
    1. Advertisements

  3. NetUser

    dkg_ctc Guest

    Well, I think the response wasn't necessarily because of JUST you,
    but rather a very persistent troll who frequently posts inaccurate
    information here.
    See above.
    Yes, the redirect would occur, but as soon as the browser redirects
    to localhost, the traffic would stop being internet traffic, and
    would be from your computer, to your computer, no intermediate hops.
    No, it would still be HTTP commands, and unless you know of a way
    that a remote server could tell your browser to send specific text
    to the port. All that would be sent are HTTP commands. For
    example, assuming that the site simply re-directs you to
    localhost:445 (the below being created by the Opera web browser):

    GET / HTTP/1.0
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera
    7.21 [en] Host: localhost
    Accept: text/html, application/xml;q=0.9,
    application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif,
    image/x-xbitmap, */*;q=0.1 Accept-Language: en
    Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6,
    *;q=0.1 Accept-Encoding: gzip, deflate
    Connection: keep-alive

    Port 445 (or pretty much any port that's not running an HTTP server)
    wouldn't understand the above request because it doesn't understand
    HTTP. Now, if you could demonstrate how a remote webserver can

    A.) Tell your local web browser to send anything other than the
    standard HTTP headers, and

    B.) See the results of the the probes from localhost to localhost

    then you might be onto something. Until then, the vulneability is
    only theoretical.
    Yes, but the info that is passed is limited by the HTTP request.
    Well, until you can actually provide proof of concept then it's only
    theoretical.
    Well, I'd like to think the above isn't a flame...which isn't to say
    that I'm above flames, of course. :)
     
    dkg_ctc, Nov 3, 2003
    #23
  4. NetUser

    dkg_ctc Guest

    Ok, so I see you using a lot of words, but I don't see you actually
    saying anything...

    What does any of the above have to do with the plausibility of
    NetUser's claims?
     
    dkg_ctc, Nov 3, 2003
    #24

  5. I would rather point out from your original post:
    They're not badly implemented, they're poorly marketed as being an "end
    all" to personal computer security.

    "jobs they're offered" is key. this falls back to marketing and the
    attempt at being the "end all" to personal computer security. while I
    agree that "they would not work for the jobs they're offered..", I
    disagree in the context in which it was presented. the *feel* for your
    statements lead me to believe that you don't think personal/software
    based firewalls will work, period. i disagree. they'll work, but not as
    they're marketed to work.

    marketing gurus work hand-in-hand with developers and find that the
    developers are either not providing an end-to-end solution or the
    developers/owners are only giving the marketers enough information to
    sell the product. this pulls the wool over the consumers eyes, making
    the consumer *think* they're protected.
    nothing is perfect. anything connected to the Internet has the potential
    to be exploited and circumvented, therefore, layering your security
    infrastructure is the key element in providing proper security.






    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 3, 2003
    #25
  6. NetUser

    Volker Birk Guest

    He's wrong.

    Sorry for being unclear. Perhaps you don't understand what I'm saying.

    NetUser has a problem with layer 5/6 communication, as I stated here
    already.

    Of course, a firewall implementation which filters out localhost-requests
    in HTTP would help.

    A "Personal Firewall" is not a firewall implementation.

    That's what I'm trying to say.

    VB.
     
    Volker Birk, Nov 3, 2003
    #26
  7. NetUser

    dkg_ctc Guest

    Ok, just so long as we're clear on that.

    *snip*
    Then I disagree with you.
     
    dkg_ctc, Nov 3, 2003
    #27
  8. NetUser

    Volker Birk Guest

    Implementing port filtering by modifying a library is very bad.
    Implementing port filtering in user space is very bad at all.
    Implementing user interface for non-privileged users is very bad.
    Implementing sandboxing for processes without implementing virtual
    machines is very bad.

    These are only examples.
    Perhaps they're stopping _some_ kind of attacks. But they're often
    offering possibilities for attacks, which would not exist without
    them.

    Some of the known exploits which "Personal Firewalls" had were:

    http://cert.uni-stuttgart.de/archive/bugtraq/2003/08/msg00056.html
    http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00365.html
    http://cert.uni-stuttgart.de/archive/bugtraq/2002/07/msg00163.html

    So if you're installing a "Personal Firewall", such a software
    perhaps will close some leaks - perhaps it will open new ones.

    The producers of the "Personal Firewalls" appear to develop not very
    carefully.

    That you're calling "security"?

    Better than any "Personal Firewall" is to close the doors your
    system offers by disabling unwanted system services, and not to
    use software which is "phoning home".

    Beside that, the NT kernel offers portfiltering itself without
    any "Personal Firewall".

    Sandboxing of processes without implementing a virtual machine is
    ridiculous, BTW. How should that work reliably?

    VB.
     
    Volker Birk, Nov 3, 2003
    #28
  9. NetUser

    Volker Birk Guest

    It seems to be an issue of definition.

    VB.
     
    Volker Birk, Nov 3, 2003
    #29
  10. NetUser

    dkg_ctc Guest

    I'll go to the webopedia definition
    http://www.webopedia.com/TERM/f/firewall.html which states that a
    firewall can be software, hardware, or a combination of the two.
     
    dkg_ctc, Nov 3, 2003
    #30
  11. NetUser

    Volker Birk Guest

    Beside the point that I don't believe Webopedia to be competent here,
    they say: "Firewalls can be implemented in both hardware and software,
    or a combination of both."

    So perhaps also the Webopedia author seems to think that "firewall"
    is in concept layer, and that a firewall can be implemented by using
    computers.

    For a firewall defines traffic between security zones, host based
    filters like "Personal Firewalls" can only implement firewalls if
    the host is not used as a workstation anymore.

    But if you will not agree with the definition of the term "firewall"
    as a concept, how about the definition at:

    http://en.wikipedia.org/wiki/Firewall

    Perhaps we can use that, that covers what I'm calling a "firewall
    implementation".

    VB.
     
    Volker Birk, Nov 3, 2003
    #31
  12. NetUser

    dkg_ctc Guest

    Well how about the comp.security.firewalls FAQ
    <http://www.faqs.org/faqs/firewalls-faq/> which states that "A
    firewall is a system or group of systems that enforces an access
    control policy between two networks." Are they not competent either?
    I don't see any contradiction of that from the c.s.f FAQ.
    "By extension, the computing world uses the term firewall for a piece
    of hardware or software put on the network to prevent some
    communications forbidden by the network policy."

    "or software"? Even the Wikipedia definition seems to contradict your
    statement that personal firewall software is not a firewall. It even
    goes on to differentiate between "conventional" firewalls and
    "personal" firewalls, but does not say that one is and one isn't a
    firewall. Rather, it simply distinguishes between the two
    implementations.
     
    dkg_ctc, Nov 3, 2003
    #32
  13. NetUser

    Volker Birk Guest

    [discussion about definitions]

    "dkg_ctc",

    there is no "right definition" or "wrong definition". You need not
    to argue about that.

    There is only the freedom of definitions.
    Please let us come back to a discussion with content.

    VB.
     
    Volker Birk, Nov 3, 2003
    #33
  14. NetUser

    Dazz Guest

    What an *almost* complete crock of shit that page is.

    Tell me, do you happen to believe what's on that page?

    If so, why? You must believe it, or else you wouldn't have posted the
    URL.

    For instance, that page contains the following:

    If you seriously want to improve security on your machine, you have to
    reduce the code size, not increase it! And no matter how much software
    you remove, as long as you don't have the source code for the rest,
    you are still not even remotely secure. Consider dropping Windows and
    switching to a more secure operating system.

    While I have no problem with the person telling people to drop
    Windows, what alternatives does does the author suggest?

    None (although he implies *something* that you have the source code
    to).

    All that page offers is "Consider dropping Windows and switching to a
    more secure operating system".

    Hmmm. Does the author (or you for that matter seeing as though you
    posted the URL) believe that having numerous Windows users (including
    clueless windows users) switching to, say, Linux or FreeBSD
    automatically going to make them automatically safe?

    I certainly don't.

    What we would have are numerous amounts of unsecured
    Linux/FreeBSD/whatever installs.

    That pages also says "... as long as you don't have the source code
    for the rest, you are still not even remotely secure".

    That seems to imply that if you happen to have the source code for
    something, that you are secure.

    Tell me, how many people out there have the capability of reading
    through hundreds/thousands/millions of lines of code, deciphering
    every little bit, looking for some sort of vulnerablity?

    Hell, not everyone out there is a programmer (nor capable of reading
    through source code and knowing exactly what it does).

    True, you may have the source code, and you may not just have one set
    of eyes reading through the source code (there could be
    hundreds/thousands/millions), however, as events show us, and will
    continue to show us, even open source software is not immune to
    vulnerabilities.

    The sad fact is that even open source software, can contain numerous
    vulnerabilities.

    Hell, I love linux (though I do use Windows as well), I like to
    program, I like to install things from source code, I even *sometimes*
    read through snippets of source code, but I do not read through every
    single line of code of every single program/application/whatever that
    I install.

    I'll bet the author of that page doesn't, and, I'll bet that neither
    do you.

    That pages implies a hell of a lot, but does not contain anything of
    substance or merit to back itself up.

    In short, that page is about as useful as a post from Tracker.

    Dazz
     
    Dazz, Nov 4, 2003
    #34
  15. NetUser

    Dazz Guest

    Yes. On this, I tend to agree with you.
    So instead, systems should be left without any protection at all?

    Isn't some sort of protection better than none?

    Do you drive a car? Does your car have seatbelts? Do you happen to
    wear a seatbelt?

    A seatbelt doesn't offer complete protection, but it does offer some
    protection.

    Did you make your seatbelt? How do you know there isn't some soft of
    design or manufacturing fault that hasn't been detected?

    Simple - you don't. But I bet you still wear one.
    Even hardware firewalls do not offer complete protection, and while
    you seem to delight in attacking personal firewalls, I need to mention
    that there have been vulnerabilities in

    You like to attack personal firewalls, but I've seen hardware
    firewalls that are also vulnerable to attacks as well, yet you don't
    mention this.

    Why is that?
    Not quite correct.

    What you should have written is this:

    The producers of *most* software appear to develop not very carefully.

    Look at OpenSSH, Apache, (just as examples) etc etc for further
    proof.
    Disabling unwanted system services offers an extra degree of
    protection, but what about those services that you need running (ie
    services that other services depend on)?

    The simple truth is that firewalls, software or hardware, don't offer
    complete protection, even taking out the weakest link - the user
    themselves.

    But I'd still rather have a software firewall running, then no
    firewall at all.
    Yes it does, and it's rather poorly implemented.

    For starters, it only offers protection on inbound traffic, and not
    outbound.

    Quote from
    http://www.microsoft.com/technet/tr...prodtechnol/winxppro/reskit/prcc_tcp_ltxs.asp

    "TCP/IP filtering allows you to specify exactly which types of
    incoming IP traffic are processed as the destination for each IP
    interface."

    So, you don't believe outbound protection is important?

    And with all the security flaws already found in Micro$oft systems,
    you'd trust their security over a personal firewall that may have only
    had a couple of flaws?

    But I'll also add that according to Microsofts own website,
    http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp

    "Some Internet service providers (ISPs) do not allow the use of the
    Windows XP ICF. If this is the case, you should contact your ISP for
    their recommended security measures."

    Hmmm, that's interesting in itself.

    What would you suggest for those people?

    Not to use anything?
    How about you telling us?

    Dazz
     
    Dazz, Nov 4, 2003
    #35

  16. So you throw out some links to vulnerabilities in Personal Firewalls,
    without throwing out compatible links to hardware firewalls.. not nice,
    not nice at all.
    *some* producers. not _all_.

    see, you're still thinking "inside the box". you're dwelling on the
    mass-marketing efforts of companies such as Zone Alarm, Black Ice,
    Norton, McAfee, etc. these are the "popular" choices, not the most
    functional, not the most secure.


    you don't realize how many ways you're screwing up here.... sure, it's
    great for a GURU to close the doors and keep from running "phone home"
    software, it's not for the end-user. then again, why wouldn't the guru
    install a good personal firewall to monitor everything connecting to and
    from their system? who knows, guru's aren't perfect, they *could*
    possibly screw up and click on something they shouldn't. end-users, on
    the other hand, are totally clueless. how do i know this? i work with
    clueless end-users daily. they're beyond clueless. there's no words to
    describe how bad-off the end-user community really is.

    without some level of protection offered by personal firewalls and
    trustworthy anti-virus solutions, end users are more vulnerable. they'll
    not close their ports, they'll not stop clicking on everything that
    looks appealing, including spyware links, java applets, malicious
    active-x scripts, links to programs, "ok'ing" whatever pop-ups that
    occur. end-users will click anything, any time, as long as it removes
    that GODDAMN POPUP that's interfering with their porn surfing.

    NONE of my customers were effected by _any_ of the recent Microsoft
    worms. NONE of my customers, once they've became customers of mine have
    EVER been infected with a virus. why? because i layer the protection
    offered to my customers.

    my choice in personal firewalls has a higher learning curve than a
    simplistic "zone alarm" type junk-ware. most end-users can't grasp the
    functions of it, but it works and works well. sure, i sit behind two
    other hardware firewalls, however, i know when EVERY application on my
    computer attempts to contact the internet.

    sure it does, but does it disallow unknown applications from requesting
    information from an unknown? does it show you what's connecting? can you
    tweak the settings per application, per connection?
    you're incorrect, it adds a layer of security for folks that otherwise
    wouldn't do anything.

    just the way I have it setup on my system. which, unless you're a client
    of mine, you'll never know.... and frankly, telling you how mine is,
    over usenet, would be the first step in losing what security i do have.

    of course if you don't understand that, you're probably not capable of
    understanding the rest of the concepts.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 4, 2003
    #36
  17. hmmm... sounds like someone just gave in.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Nov 4, 2003
    #37
  18. NetUser

    reshman Guest

    Kind of like this entire conversation thread.

    Go to bed folks. There is nothing to see here. The dead horse is already
    made into glue..........

    -Mike
     
    reshman, Nov 4, 2003
    #38
  19. NetUser

    Volker Birk Guest

    No. Just stop all services on your machine you don't want to
    offer, instead of port filtering with a piece of crap.

    Just stop using programs which want to "phone home". Leave that
    programs alone, inform their makers you will not use their crap
    because of those "features".
    No, it isn't.

    If "some sort of protection" cannot be calculated, if "some sort
    of protection" even offers more security holes than without such
    "protection", it is better to pass on that "protection".
    In what way endangers me a seatbelt while I'm driving? Or are you
    comparing apples and oranges?
    No. I'm trusting in the makers of my seatbelt. They worked hard for
    that trust of me - I only trust in seatbelts which are well tested,
    which are tested by a technical inspection authority I trust in, and
    are found well done. I only trust in seatbelts where a technical
    inspection authority which I'm trusting in reviewed the design and
    concept of the seatbelts and found them good.

    I will never trust in seatbelts where I can see the mistakes and
    the deficiency myself already.
    I cannot see that. I'm trusting a technical inspection authority,
    as I already said.
    Because I will not use such "Hardware Firewalls" also. I'm trusting
    only a filtering system I can read the code.

    But: "Hardware Firewall" is not the opposite of "Personal Firewall".
    It even has nothing to do with that term. Usually with "Hardware
    Firewall" a black-box filtering solution is meant, where hardware and
    software come together from one manufacturer. The opposite is called
    "software firewall", a filtering solution which is delivered as a
    computer program, with which you can implement a firewall by installing
    and using that software on a computer of your choice.
    I never saw a solution called "Personal Firewall" which was manufactured
    well. Do you know one single solution which has none of the conceptual
    problems I mentioned?
    OpenSSH had security flaws, that's right. But it is not broken by
    design. All "Personal Firewalls" I know (most of them) are broken
    by design.
    If you want to communicate in one security zone, and not with others,
    have a security zone plan, define the traffic between zones, and
    implement constructive filtering in a firewall implementation between
    the zones.
    Nothing with security is complete. Filtering cannot be complete
    but cutting the line, user based problems like social engineering
    attacks are also a big problem. Technical security measures are
    not enough to implement a security system. For example, you cannot
    solve social problems with technical means. And no security exists
    without a concept.
    A software firewall? Why not? When it's not host based but on
    a dedicated machine. Also host based filtering, in the best
    case central managed, could be a good idea. But I would not
    call that a "firewall".

    Or are you meaning a "Personal Firewall", namely an host based
    packet filter which is badly implemented? Then I would not agree.
    The documentation is not really clear here; as a matter of fact
    also outbound traffic can be filtered - or are you referencing
    the ridiculous "internet connection firewall"? I mean the port
    filtering which is implemented in the kernel and documented as
    part of the "IPsec" funtions (I think, the marketing manager
    of Microsoft which used this term for that, did not understand
    what IPsec is).

    There are better filtering systems than the one in the Windows
    kernel, of course. And better do not trust in a Windows system
    as a platform for filtering software at all.

    Better use an operating system which has not so many security
    flaws (not only in the IP-stack) as such a platform.

    You can even open privileged ports as a normal user with Windows.
    I would not trust the security of Microsoft products at all, more than
    ever as a platform for security systems.

    Microsoft products also have advanteges, but none of them I can
    see in the security sector.

    VB.
     
    Volker Birk, Nov 5, 2003
    #39
  20. NetUser

    Volker Birk Guest

    "Personal Firewall" is not the opposite of "hardware firewall".
    The opposite of hardware firewall is software firewall.

    The reason for that confusion may be that "Personal Firewalls"
    do not implement a firewall at all.

    For I'm not trusting filtering software for security purposes
    where I'm not able to check the code (and using a compiler I'm
    trusting in), I do not trust in most hardware firewall solutions.

    With a security flaw in a firewall implementation you're
    compromizing the security of all nodes in the higher leveled
    security zone up to the level the hosts are secure themselves.

    With a security flaw in a "Personal Firewall" you're compromizing
    the hosts themselves completely.

    Security flaws in firewall implementations you're coming up against
    by not offering services on the firewall at all, or by only offering
    one single service for remote administration which is only reachable
    by authorized access. Of course there can be a security flaw at this
    point, too.
    Your're right. Perhaps one should translate that nice scripts of
    Torsten Mann which do that automatically, see:

    http://rcswww.urz.tu-dresden.de/~tm171555/dcsm/svcw2kb.bat
    http://rcswww.urz.tu-dresden.de/~tm171555/dcsm/svcwxpb.bat

    Unfortunately the homepage is only in German:
    http://www.ntsrvcfg.de.vu/
    Because for that point you better use other tools, i.e.:

    http://www.sysinternals.com/ntw2k/source/filemon.shtml
    http://www.sysinternals.com/ntw2k/freeware/pmon.shtml
    http://www.sysinternals.com/ntw2k/freeware/portmon.shtml
    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

    or just netstat and lsof.
    Perhaps also stopping all unwanted services, stopping the use
    of dangerous applications and configuring the systems so that
    it is difficult for end users to make mistakes, which are security
    relevant, and perhaps filtering out dangerous things on the
    firewalls would also be a good idea? Perhaps it would be the
    better idea.
    Users, which are not "administrated" as part of the system (;-),
    perhaps better should use a Macintosh.
    Also "Personal Firewalls" do not work in that case.
    See the tools above.
    Better do not trust in that.
    Where is that "layer of security", when even Real Player phones home
    beside all "Personal Firewalls"? Even if you detect that, they're
    implementing more than one way to phone home.
    Ah, it seems to be magic ;-)
    Security by obscurity does not work at all.
    I just understand that you're intrusting in security by obscurity.
    Seems to be a little bit foolish, doesn't it?

    VB.
     
    Volker Birk, Nov 5, 2003
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.