Very Computer

Security-HOWTO says something to the effect that if you think you don't have
to secure your internal machines because you have a firewall, you are making a
fatal mistake. It does not elaborate, so I am not sure what it means.

Suppose you have a firewall that denies all external service requests. How can
you be hacked from outside? (I know, the firewall code can be buggy, but for
the sake of argument, let's assume it it not.)

In other words, what risk am I running into if I run the "bad" services like
ftp/telnet/finger but block all access to them from outside?

You can put all those windows on a different subnet and treat that subnet as
outsider.

PS: M$ apps free network would be more secure, until they "port/infest" them to
Linux.

I guess you don't care about internal hackers? this is going to be your
downfall......

besides, what happens if your firewall is cracked? You need more than one
line of defense....

--buddy

--
Remove spam trap when replying

The only fool-proof way to secure your machine is unplug it, turn it off
and drop it in the bottom of the ocean.  

Internal attacks are the most common ones, your firewall does nothing
against those. If your firewall is compromised, what then??

Treat each box as 'turn off all services, turn on only the ones I try to
use on THAT  box and then see where I am...' Repeat as necessary.

DanH

--
UNIX - Not just for vestal *s anymore
Linux - Choice of a GNU generation

Well, one of the many possible downfalls, at least.

Quote:> besides, what happens if your firewall is cracked? You need more than one
> line of defense....

A good point lurketh herein... it's not just 'buggy' that might lead to a
firewall being 'cracked', you've got various (design) limitations in state
engines to worry about as well. And once they're in... does the phrase
"trust relationship" (between internal boxes) mean anything? :(

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

And even then... isn't there a company that says they can retrieve
info off a HD that's been soaking in the ocean for a year?!?

The only secure computer is one that has never been built.

But, before you go all paranoid, there are ways to secure a machine to
a reasonable level.  Knowledge is power, and you'll want a lot of it.

Check out just how often my firewall bounces a hack attempt at:

http://www.veryComputer.com/*mage

click on the HACKERS button.  I had another scan attempt tonight.
I'm now averaging one every 3 to 4 days.

That gives a whole new definition to Python's 'machine that goes ping'

--

B-Lex Information Technologies

PGPKey: 2048/75929DC1     92 F1 6D A4 86 5A AE 50  CF 78 01 5B 18 94 18 40

Not entirely funny....if we are in fact headed for a future when all
of our household devices are networked, then security will become a
major issue. Unless of course you don't mind ukrainian kids turning
your refrigerator on and off for fun.

Gareth

for instance... you drank too much yesterday and you barf into the toilet.
the toilet detects that you're sick and calls the hospital. at 03:27, the
ambulance arrives. you convince the poepl eyou're OK. however, next morning,
the insurance calls that you're ill and you'll have to pay more fees. In the
mean time, your refrigerator sees that all the beer you ordered for
yesterday's party is depleted so it orders more beer. the bad part is, you
didn't want to party tonight because you only party once ina year for yor
birthday. etc etc.

I don't think we're heading to a future where everything is networked :-)

--
Grobbebol's Home                 |  Don't give in to spammers.   -o)
http://www.xs4all.nl/~bengel     | Use your real e-mail address   /\
Linux 2.2.14 SMP 466MHz / 256 MB |        on Usenet.             _\_v  

1: You can be hacked from inside, by your own users.

2: A hacker can sometimes take advantage of a bug in client software
   (like a web browser or an FTP client) to compromise your network.
   In other words, a connection initiated from your network is a
   potential security risk as well as one initiated from outside.

3: No firewall is foolproof.  They can be cracked, and they can have
   bugs.  You should never assume that a software produce is perfectly
   secure.  There may always be an exploitable bug/feature that people
   just don't know about yet.  When it is discovered, you must fix it
   before someone uses it to hack your network.

4: Firewalls generally don't block UDP traffic.  Due to the
   connectionless nature of UDP, it is hard to tell whether a datagram
   is part of a locally-originated request or a remotely-originated
   request.  You can, of course, block incoming UDP traffic, but then
   some applications (like streaming audio/video) will stop working.
   (Or they'll have to use a TCP-based solution, which is much less
   efficient.)

5: All software has bugs.  Even if you don't know what they are.
   Including your firewall and the operating system it runs on.  (Yes, I
   said this before, but it's very important!)

-- David

Don't most firewalls these days keep state on UDP traffic?  I know
it's pretty trivial to do with ipf, e.g.,

pass out on fxp0 proto udp from any to any port = domain keep state

for DNS traffic.  That line will let DNS queries out and any
apparently corresponding reply packets back in.

Quote:>5: All software has bugs.  Even if you don't know what they are.
>   Including your firewall and the operating system it runs on.  (Yes, I
>   said this before, but it's very important!)

>-- David

I completely agree with all of your other points.

--

Unsolicited bulk email charge:   $500/message.   Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8  43C8 7AD2 B485 DE75 841C

Never thought discussions on this forume could be that fun (wired toilet
calling ambulance and such).

I am not crazy enought to actually believe that any firewall is a fool-proof
defense. I am sweating day and night fearing the worst, actually. :-)

I was trying to reason from a theoretical point of view. My thought was that
if you don't allow any packet to get to any listening port, then no matter how
stupid the listening programs are, they cannot be called on to do any damage
because they don't hear a thing. And this part of the firewall is not too
complicated to be carefully examined. Granted there can still be bugs. But
hey, the chance that your machine be physically stolen is not zero either,
right?

But the internal hacker problem is a threat. I like the idea of a flawed
client program letting a trusted internal user be unknowingly hijacked. This
danger is very much real. The Microsoft VB virus is an excellent example.
(Maybe this point should be included into the Security-HOWTO?)

Quote:> 2: A hacker can sometimes take advantage of a bug in client software
>    (like a web browser or an FTP client) to compromise your network.
>    In other words, a connection initiated from your network is a
>    potential security risk as well as one initiated from outside.

Excellent point. You can trust your users, but they may be body-snatched by
using flawed client software. (MS-VB virus etc.)

Quote:> 4: Firewalls generally don't block UDP traffic.

What kind of damage can UDP packets cause?

1. One of your windows users is foolish enough to activate a Trojan sent
to him via email, and thinks nothin of it.  He then deletes the email without
telling anyone.

2. The trojan installs itself on the user's machine, and contacts hacker's
webserver.

3. Hacker then uses the backdoor installed by the trojan to install packet
sniffer on the users system.  Hacker's backdoor uses port 80 for all
communications, making your firewall think that the user has simply found
a new favorite website.

4. When you telnet into the firewall machine, packet-sniffer on user's
machine sniffs your password, and after you log off, hacker uses his
new-found password to log into the firewall.

5. Your screwed now - Hacker installs a kernel module that masks his
new username, password, etc. from /etc/password, masks his entire
home directory from anyone else in the system. It also masks several
new routes and ipchains entries that allow him full access to the system
- completely unnoticed.  Hell, he could install his own custom kernel at
that point.

Eric

Nah,  I build computers all the time.  Can't be _that_ hard to
do it remotely...   :-)

Eric