Re: A firewall won't stop this one

From: Volker Birk (bumens_at_dingens.org)
Date: 11/05/03 

Date: Wed, 5 Nov 2003 22:04:48 +0100

Dazz <cashdj@hotmail.com> wrote:
> So instead, systems should be left without any protection at all?

No. Just stop all services on your machine you don't want to
offer, instead of port filtering with a piece of crap.

Just stop using programs which want to "phone home". Leave that
programs alone, inform their makers you will not use their crap
because of those "features".

> Isn't some sort of protection better than none?

No, it isn't.

If "some sort of protection" cannot be calculated, if "some sort
of protection" even offers more security holes than without such
"protection", it is better to pass on that "protection".

> Do you drive a car?

Yes.

> Does your car have seatbelts?

Yes.

> Do you happen to
> wear a seatbelt?

Yes.

> A seatbelt doesn't offer complete protection, but it does offer some
> protection.

In what way endangers me a seatbelt while I'm driving? Or are you
comparing apples and oranges?

> Did you make your seatbelt?

No. I'm trusting in the makers of my seatbelt. They worked hard for
that trust of me - I only trust in seatbelts which are well tested,
which are tested by a technical inspection authority I trust in, and
are found well done. I only trust in seatbelts where a technical
inspection authority which I'm trusting in reviewed the design and
concept of the seatbelts and found them good.

I will never trust in seatbelts where I can see the mistakes and
the deficiency myself already.

> How do you know there isn't some soft of
> design or manufacturing fault that hasn't been detected?

I cannot see that. I'm trusting a technical inspection authority,
as I already said.

> You like to attack personal firewalls, but I've seen hardware
> firewalls that are also vulnerable to attacks as well, yet you don't
> mention this.
> Why is that?

Because I will not use such "Hardware Firewalls" also. I'm trusting
only a filtering system I can read the code.

But: "Hardware Firewall" is not the opposite of "Personal Firewall".
It even has nothing to do with that term. Usually with "Hardware
Firewall" a black-box filtering solution is meant, where hardware and
software come together from one manufacturer. The opposite is called
"software firewall", a filtering solution which is delivered as a
computer program, with which you can implement a firewall by installing
and using that software on a computer of your choice.

>>The producers of the "Personal Firewalls" appear to develop not very
>>carefully.
> Not quite correct.
> What you should have written is this:
> The producers of *most* software appear to develop not very carefully.

I never saw a solution called "Personal Firewall" which was manufactured
well. Do you know one single solution which has none of the conceptual
problems I mentioned?

> Look at OpenSSH, Apache, (just as examples) etc etc for further
> proof.

OpenSSH had security flaws, that's right. But it is not broken by
design. All "Personal Firewalls" I know (most of them) are broken
by design.

>>Better than any "Personal Firewall" is to close the doors your
>>system offers by disabling unwanted system services, and not to
>>use software which is "phoning home".
> Disabling unwanted system services offers an extra degree of
> protection, but what about those services that you need running (ie
> services that other services depend on)?

If you want to communicate in one security zone, and not with others,
have a security zone plan, define the traffic between zones, and
implement constructive filtering in a firewall implementation between
the zones.

> The simple truth is that firewalls, software or hardware, don't offer
> complete protection, even taking out the weakest link - the user
> themselves.

Nothing with security is complete. Filtering cannot be complete
but cutting the line, user based problems like social engineering
attacks are also a big problem. Technical security measures are
not enough to implement a security system. For example, you cannot
solve social problems with technical means. And no security exists
without a concept.

> But I'd still rather have a software firewall running, then no
> firewall at all.

A software firewall? Why not? When it's not host based but on
a dedicated machine. Also host based filtering, in the best
case central managed, could be a good idea. But I would not
call that a "firewall".

Or are you meaning a "Personal Firewall", namely an host based
packet filter which is badly implemented? Then I would not agree.

> "TCP/IP filtering allows you to specify exactly which types of
> incoming IP traffic are processed as the destination for each IP
> interface."
> So, you don't believe outbound protection is important?

The documentation is not really clear here; as a matter of fact
also outbound traffic can be filtered - or are you referencing
the ridiculous "internet connection firewall"? I mean the port
filtering which is implemented in the kernel and documented as
part of the "IPsec" funtions (I think, the marketing manager
of Microsoft which used this term for that, did not understand
what IPsec is).

There are better filtering systems than the one in the Windows
kernel, of course. And better do not trust in a Windows system
as a platform for filtering software at all.

Better use an operating system which has not so many security
flaws (not only in the IP-stack) as such a platform.

You can even open privileged ports as a normal user with Windows.

> And with all the security flaws already found in Micro$oft systems,
> you'd trust their security over a personal firewall that may have only
> had a couple of flaws?

I would not trust the security of Microsoft products at all, more than
ever as a platform for security systems.

Microsoft products also have advanteges, but none of them I can
see in the security sector.

VB. 

-- 
X-Pie Software GmbH
Postfach 1540, 88334 Bad Waldsee
Phone +49-7524-996806 Fax +49-7524-996807
mailto:vb@x-pie.de  http://www.x-pie.de

Relevant Pages

  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)
  • Re: Is it possible for someone to access my HD even though I am running a firewall?
    ... > Is there any possibility that my security has been compromised? ... A "personal" firewall is only as strong as the person that set it up. ... protection. ... understanding what they are doing. ...
    (comp.security.firewalls)
  • Re: Question for the Group
    ... And those who claim security are doing better than VMS. ... vulnerabilities then the firewall provides zero protection. ...
    (comp.os.vms)
  • Re: WinXPHome Firewall VS Norton Internet Worm Protection?
    ... firewall to protect your network from inbound attacks. ... > windows and security programs updated. ... > do but it looks like I have at least the basic amount of protection. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Distributed Firewall
    ... ->wonderful concept into bringing the firewall platform to each ... and egress filtering and sniffing prevention are gone. ... In summary I'd believe that if you don't trust your intranet, ... that the improvement on the security end isn't ...
    (Security-Basics)