Can firewall offer fool-proof security?

Can firewall offer fool-proof security?

Post by Yuzheng Din » Tue, 16 May 2000 04:00:00



Security-HOWTO says something to the effect that if you think you don't have
to secure your internal machines because you have a firewall, you are making a
fatal mistake. It does not elaborate, so I am not sure what it means.

Suppose you have a firewall that denies all external service requests. How can
you be hacked from outside? (I know, the firewall code can be buggy, but for
the sake of argument, let's assume it it not.)

In other words, what risk am I running into if I run the "bad" services like
ftp/telnet/finger but block all access to them from outside?

 
 
 

Can firewall offer fool-proof security?

Post by Edward Le » Tue, 16 May 2000 04:00:00


You can put all those windows on a different subnet and treat that subnet as
outsider.

PS: M$ apps free network would be more secure, until they "port/infest" them to
Linux.


> All you need is a window machine to receive a VB worm/virus to telnet/ftp into
> your Linux box and start backing up your hard drive on the net somewhere.


> > Security-HOWTO says something to the effect that if you think you don't have
> > to secure your internal machines because you have a firewall, you are making a
> > fatal mistake. It does not elaborate, so I am not sure what it means.

> > Suppose you have a firewall that denies all external service requests. How can
> > you be hacked from outside? (I know, the firewall code can be buggy, but for
> > the sake of argument, let's assume it it not.)

> > In other words, what risk am I running into if I run the "bad" services like
> > ftp/telnet/finger but block all access to them from outside?


 
 
 

Can firewall offer fool-proof security?

Post by Buddy Smit » Tue, 16 May 2000 04:00:00



> Suppose you have a firewall that denies all external service requests. How can
> you be hacked from outside? (I know, the firewall code can be buggy, but for
> the sake of argument, let's assume it it not.)
> In other words, what risk am I running into if I run the "bad" services like
> ftp/telnet/finger but block all access to them from outside?

I guess you don't care about internal hackers? this is going to be your
downfall......

besides, what happens if your firewall is cracked? You need more than one
line of defense....

--buddy

--
Remove spam trap when replying

 
 
 

Can firewall offer fool-proof security?

Post by DanH » Tue, 16 May 2000 04:00:00




> Security-HOWTO says something to the effect that if you think you don't
> have to secure your internal machines because you have a firewall, you
> are making a fatal mistake. It does not elaborate, so I am not sure what
> it means.

The only fool-proof way to secure your machine is unplug it, turn it off
and drop it in the bottom of the ocean.  

Internal attacks are the most common ones, your firewall does nothing
against those. If your firewall is compromised, what then??

Treat each box as 'turn off all services, turn on only the ones I try to
use on THAT  box and then see where I am...' Repeat as necessary.

DanH

--
UNIX - Not just for vestal *s anymore
Linux - Choice of a GNU generation

 
 
 

Can firewall offer fool-proof security?

Post by Tim Hayn » Wed, 17 May 2000 04:00:00




> > Suppose you have a firewall that denies all external service
> > requests. How can you be hacked from outside? (I know, the firewall
> > code can be buggy, but for the sake of argument, let's assume it it
> > not.)

> > In other words, what risk am I running into if I run the "bad" services
> > like ftp/telnet/finger but block all access to them from outside?

> I guess you don't care about internal hackers? this is going to be your
> downfall......

Well, one of the many possible downfalls, at least.

Quote:> besides, what happens if your firewall is cracked? You need more than one
> line of defense....

A good point lurketh herein... it's not just 'buggy' that might lead to a
firewall being 'cracked', you've got various (design) limitations in state
engines to worry about as well. And once they're in... does the phrase
"trust relationship" (between internal boxes) mean anything? :(

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

 
 
 

Can firewall offer fool-proof security?

Post by Nobo » Wed, 17 May 2000 04:00:00



>The only fool-proof way to secure your machine is unplug it, turn it off
>and drop it in the bottom of the ocean.  

And even then... isn't there a company that says they can retrieve
info off a HD that's been soaking in the ocean for a year?!?

The only secure computer is one that has never been built.

But, before you go all paranoid, there are ways to secure a machine to
a reasonable level.  Knowledge is power, and you'll want a lot of it.

Check out just how often my firewall bounces a hack attempt at:

http://www.veryComputer.com/*mage

click on the HACKERS button.  I had another scan attempt tonight.
I'm now averaging one every 3 to 4 days.

 
 
 

Can firewall offer fool-proof security?

Post by Arnold Hendrik » Wed, 17 May 2000 04:00:00




>>And even then... isn't there a company that says they can retrieve
>>info off a HD that's been soaking in the ocean for a year?!?
>>The only secure computer is one that has never been built.
> I've seen microwaves with a net connection. Do I need a firewaal to
> protect my dinner ?  ;-)

That gives a whole new definition to Python's 'machine that goes ping'

--

B-Lex Information Technologies

PGPKey: 2048/75929DC1     92 F1 6D A4 86 5A AE 50  CF 78 01 5B 18 94 18 40

 
 
 

Can firewall offer fool-proof security?

Post by Gareth Jone » Wed, 17 May 2000 04:00:00




>>And even then... isn't there a company that says they can retrieve
>>info off a HD that's been soaking in the ocean for a year?!?
>>The only secure computer is one that has never been built.

>I've seen microwaves with a net connection. Do I need a firewaal to
>protect my dinner ?  ;-)

Not entirely funny....if we are in fact headed for a future when all
of our household devices are networked, then security will become a
major issue. Unless of course you don't mind ukrainian kids turning
your refrigerator on and off for fun.

Gareth

 
 
 

Can firewall offer fool-proof security?

Post by ben.. » Wed, 17 May 2000 04:00:00



> Not entirely funny....if we are in fact headed for a future when all
> of our household devices are networked, then security will become a
> major issue. Unless of course you don't mind ukrainian kids turning
> your refrigerator on and off for fun.

for instance... you drank too much yesterday and you barf into the toilet.
the toilet detects that you're sick and calls the hospital. at 03:27, the
ambulance arrives. you convince the poepl eyou're OK. however, next morning,
the insurance calls that you're ill and you'll have to pay more fees. In the
mean time, your refrigerator sees that all the beer you ordered for
yesterday's party is depleted so it orders more beer. the bad part is, you
didn't want to party tonight because you only party once ina year for yor
birthday. etc etc.

I don't think we're heading to a future where everything is networked :-)

--
Grobbebol's Home                 |  Don't give in to spammers.   -o)
http://www.xs4all.nl/~bengel     | Use your real e-mail address   /\
Linux 2.2.14 SMP 466MHz / 256 MB |        on Usenet.             _\_v  

 
 
 

Can firewall offer fool-proof security?

Post by David » Wed, 17 May 2000 04:00:00



> Security-HOWTO says something to the effect that if you think you
> don't have to secure your internal machines because you have a
> firewall, you are making a fatal mistake. It does not elaborate, so I
> am not sure what it means.

> Suppose you have a firewall that denies all external service
> requests. How can you be hacked from outside? (I know, the firewall
> code can be buggy, but for the sake of argument, let's assume it it
> not.)

> In other words, what risk am I running into if I run the "bad"
> services like ftp/telnet/finger but block all access to them from
> outside?

1: You can be hacked from inside, by your own users.

2: A hacker can sometimes take advantage of a bug in client software
   (like a web browser or an FTP client) to compromise your network.
   In other words, a connection initiated from your network is a
   potential security risk as well as one initiated from outside.

3: No firewall is foolproof.  They can be cracked, and they can have
   bugs.  You should never assume that a software produce is perfectly
   secure.  There may always be an exploitable bug/feature that people
   just don't know about yet.  When it is discovered, you must fix it
   before someone uses it to hack your network.

4: Firewalls generally don't block UDP traffic.  Due to the
   connectionless nature of UDP, it is hard to tell whether a datagram
   is part of a locally-originated request or a remotely-originated
   request.  You can, of course, block incoming UDP traffic, but then
   some applications (like streaming audio/video) will stop working.
   (Or they'll have to use a TCP-based solution, which is much less
   efficient.)

5: All software has bugs.  Even if you don't know what they are.
   Including your firewall and the operating system it runs on.  (Yes, I
   said this before, but it's very important!)

-- David

 
 
 

Can firewall offer fool-proof security?

Post by James J. Lippa » Wed, 17 May 2000 04:00:00



>1: You can be hacked from inside, by your own users.

>2: A hacker can sometimes take advantage of a bug in client software
>   (like a web browser or an FTP client) to compromise your network.
>   In other words, a connection initiated from your network is a
>   potential security risk as well as one initiated from outside.

>3: No firewall is foolproof.  They can be cracked, and they can have
>   bugs.  You should never assume that a software produce is perfectly
>   secure.  There may always be an exploitable bug/feature that people
>   just don't know about yet.  When it is discovered, you must fix it
>   before someone uses it to hack your network.

>4: Firewalls generally don't block UDP traffic.  Due to the
>   connectionless nature of UDP, it is hard to tell whether a datagram
>   is part of a locally-originated request or a remotely-originated
>   request.  You can, of course, block incoming UDP traffic, but then
>   some applications (like streaming audio/video) will stop working.
>   (Or they'll have to use a TCP-based solution, which is much less
>   efficient.)

Don't most firewalls these days keep state on UDP traffic?  I know
it's pretty trivial to do with ipf, e.g.,

pass out on fxp0 proto udp from any to any port = domain keep state

for DNS traffic.  That line will let DNS queries out and any
apparently corresponding reply packets back in.

Quote:>5: All software has bugs.  Even if you don't know what they are.
>   Including your firewall and the operating system it runs on.  (Yes, I
>   said this before, but it's very important!)

>-- David

I completely agree with all of your other points.

--

Unsolicited bulk email charge:   $500/message.   Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8  43C8 7AD2 B485 DE75 841C

 
 
 

Can firewall offer fool-proof security?

Post by Yuzheng Din » Wed, 17 May 2000 04:00:00


Never thought discussions on this forume could be that fun (wired toilet
calling ambulance and such).

I am not crazy enought to actually believe that any firewall is a fool-proof
defense. I am sweating day and night fearing the worst, actually. :-)

I was trying to reason from a theoretical point of view. My thought was that
if you don't allow any packet to get to any listening port, then no matter how
stupid the listening programs are, they cannot be called on to do any damage
because they don't hear a thing. And this part of the firewall is not too
complicated to be carefully examined. Granted there can still be bugs. But
hey, the chance that your machine be physically stolen is not zero either,
right?

But the internal hacker problem is a threat. I like the idea of a flawed
client program letting a trusted internal user be unknowingly hijacked. This
danger is very much real. The Microsoft VB virus is an excellent example.
(Maybe this point should be included into the Security-HOWTO?)

 
 
 

Can firewall offer fool-proof security?

Post by Yuzheng Din » Wed, 17 May 2000 04:00:00


Quote:> 2: A hacker can sometimes take advantage of a bug in client software
>    (like a web browser or an FTP client) to compromise your network.
>    In other words, a connection initiated from your network is a
>    potential security risk as well as one initiated from outside.

Excellent point. You can trust your users, but they may be body-snatched by
using flawed client software. (MS-VB virus etc.)

Quote:> 4: Firewalls generally don't block UDP traffic.

What kind of damage can UDP packets cause?
 
 
 

Can firewall offer fool-proof security?

Post by Eric Co » Thu, 18 May 2000 04:00:00



> Security-HOWTO says something to the effect that if you think you don't have
> to secure your internal machines because you have a firewall, you are making a
> fatal mistake. It does not elaborate, so I am not sure what it means.

> Suppose you have a firewall that denies all external service requests. How can
> you be hacked from outside? (I know, the firewall code can be buggy, but for
> the sake of argument, let's assume it it not.)

> In other words, what risk am I running into if I run the "bad" services like
> ftp/telnet/finger but block all access to them from outside?

1. One of your windows users is foolish enough to activate a Trojan sent
to him via email, and thinks nothin of it.  He then deletes the email without
telling anyone.

2. The trojan installs itself on the user's machine, and contacts hacker's
webserver.

3. Hacker then uses the backdoor installed by the trojan to install packet
sniffer on the users system.  Hacker's backdoor uses port 80 for all
communications, making your firewall think that the user has simply found
a new favorite website.

4. When you telnet into the firewall machine, packet-sniffer on user's
machine sniffs your password, and after you log off, hacker uses his
new-found password to log into the firewall.

5. Your screwed now - Hacker installs a kernel module that masks his
new username, password, etc. from /etc/password, masks his entire
home directory from anyone else in the system. It also masks several
new routes and ipchains entries that allow him full access to the system
- completely unnoticed.  Hell, he could install his own custom kernel at
that point.

Eric

 
 
 

Can firewall offer fool-proof security?

Post by Eric Co » Thu, 18 May 2000 04:00:00




> >The only fool-proof way to secure your machine is unplug it, turn it off
> >and drop it in the bottom of the ocean.

> And even then... isn't there a company that says they can retrieve
> info off a HD that's been soaking in the ocean for a year?!?

> The only secure computer is one that has never been built.

Nah,  I build computers all the time.  Can't be _that_ hard to
do it remotely...   :-)

Eric

 
 
 

1. fool-proof way to update /etc/rc.firewall over the net

Greetings,

I have been using FreeBSD boxes as bridging firewalls for more than 2 years
and they have worked very well except one problem, which I am actually quite
embarrassed to say I haven't been able to figured it out after two years.

I had set FIREWALL_QUIET="YES" (which means "ipfw -q") in /etc/rc.conf, but
about 50% of the time, when I did a "sh /etc/rc.firewall" over the net, my
SSH session was hung and I had to phone the datacentre to physically reboot
the machine.

I would like to know what the problem is and if there is a fool-proof way to
avoid the problem so that I can update the rules over the net and put them
into effect without the fear of stopping the entire network.

Many thanks!

Andrew

2. Veritas Netbackup issue - tape selection

3. Simple, fool-proof anti-hacking technique

4. Additional feature patches for Apache 1.2b1

5. : AMI motherboard experiences sought.

6. Simple, fool-proof anti-pirating technique

7. if I report a mount command bug, is it distribution specific?

8. Thoughs on fool-proofing samba file sharing

9. lilo.conf fool-proofing

10. BURN-Proof (Buffer Under-RuN error Proof) CD Writers

11. Creating a bomb-proof Firewall

12. Hacker Proof Security Device- Hardware. Available???