Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....
From: Patrick Farrell (grimlock@xnet.com)Date: 12/28/01
- Next message: Dr. Bob: "Re: PopUp Killers"
- Previous message: Patrick Farrell: "Re: What's the Point? Newbie."
- In reply to: Sick&Tired: "99.9 % of Software/Hardware Firewalls DO-NOT....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Patrick Farrell <grimlock@xnet.com> Date: Thu, 27 Dec 2001 20:10:05 -0600
Sick&Tired wrote:
>
> 99.9 % of Software/Hardware Firewalls DO-NOT cover the below
> Vulnerabilities/Exploits that Hackers use to get into Public
> or Private Servers, or Public PC's used by citizens when
> accessing the Internet:
>
> 1. ARP/RARP (Used to Circumvent Routers via redirtects)
> 2. MAC Addresses (Man-in-the-Middle MAC Spoofs)
> 3. ICMP (Denial of Service and many more)
Firewalls do what you tell them to. Take watchguard for example, ICMP's are
blocked unless you specifically allow things like traceroute and ping etc.
Please explain #2, as most firewalls filter by IP address, and not MAC
addresses. Not clear on how #1 is going to get you anywhere, so please
explain, I'd like to know. If I configure my wall to allow everything and then
start blocking selectively I'm in trouble. It's far better to deny all and then
allow specifically what you need. Now unfortunately personal firewalls work far
different than corporate lan firewalls as those firewalls don't have access to
know what application is accessing the net, so they work specifically on port/Ip
filtering. I don't think however that these exploits will get you anywhere on
personal firewalls either.
>
> The above is just 3 examples on how nasty people can use
> firewalls against itself, or, at the very least, not cover
> the important features that need to be blocked, by DEFAULT,
> in order to help stop the insanity on the World Wide Web.
>
> Here are some other examples that most Software/Hardware
> firewalls do not block or even have a clue on what to
> do with itself:
>
> Most firewalls do not come preconfigured to block Private
> Addresses, nor IANA, or the Experimental IP Addresses from
> 239.000.000.000 - 255.255.254.255. Typically called
> IP Spoofs.
Irrelevant. Your filtering based off of ports, or IP addresses. If you block
all traffic on port 21, it doesn't matter if it's an experimental address. It's
blocked. If you only allow traffic from 100.100.100.xxx then it doesn't matter
if someone from 239.xxx.xxx.xxx tries to access. It's not in the specified
range.
>
> Most firewalls are not blocking, or even asking to permit
> most Protocols that are assigned....properly.
For example?
>
> Most firewalls are not smart enough to block UNKNOWN
> PROTOCOLS, because their Operating Systems either are
> not configured to use them, or don't know how to handle
> them properly. This is especially true for installed
> software/hardware on computers using their own "CUSTOM
> ROLLED PROTOCOLS", thus, bypassing the firewall, or,
> as a techy term, TUNNELING through the firewall behind
> your back.
Such as? Are we referring to things like IPX and Netbui and Appletalk or other
items? Those don't route anyway, and since your firewall basically is a router
of sorts, if it doesn't know how to route those things they are not going
anywhere.
Tunneling is a problem. For example, AOL seems to install PPTP on your system
to create a tunnel which would in effect bypass any firewall you have. That's
your choice to install that. In order to create a tunnel, you need to already
have the nessesary items on your end to complete this tunnel.
It's like the leaktest things. Yes a rogue app behind your firewall can get
out. How did it get there to begin with? If you block it the first time it
can't get back there to get out.
>
> ------------------------------------------------------------
> Some firewalls even permit DOMAIN Exploits by using
> your DNS.....for IT'S OWN PURPOSE, BEHIND OUR BACKS.
>
> Speaking of DNS: Did you know that the (#1) way to get
> into your computer is through DNS? Yes, that is correct
> pilgrim. Disgruntled workers at your ISP, and even hackers
> that bust your ISP to gain entry via DNS UDP, or worse
> yet, DNS TCP for Zone Transfers.
> -------------------------------------------------------------
>
This I agree with, Watchguard just implimented a DNS proxy to address these
types of attacks.
> Mix this in with Operating System Exploits, and one would
> get a feeling that we have been at war since the Digital Age,
> but blinded by Technology, for Easyology, in our daily lives.
>
> Remember......these are just a FEW examples.
>
> Let's all start 2002 on a good note. Contact your State
> Representatives in order to get some serious Bills
> passed to REGULATE Firewall Companies, IDS companies, or
> any company that boasts protecting people while they
> surf the web, or do business via the Internet.
>
Free market regulates itself. Government intervention will result in dumbed
down walls so that law enforcement can penetrate it. (remember encryption
regulation?) If consumers bother to get educated, companies shipping inferior
security products won't last long. Firewalls are not like OS's or office
suites, you having a cisco firewall won't prevent you from accessing a site that
has a watchguard, or a raptor or whatever, so while inferior OS's may win out,
in an educated consumer market, an Inferior firewall should not. The key is
educating people.
MS just patched a hole in XP. Most consumers will never get the patch for it.
I routinely work on peoples systems and visit windows update and see they never
even applied the year 2000 patches. "Well my system still works".. Ok ya
whatever.
> Let's start by making 2002 more safer, shall we?
>
> Sick&Tired
Agree.
Patrick
- Next message: Dr. Bob: "Re: PopUp Killers"
- Previous message: Patrick Farrell: "Re: What's the Point? Newbie."
- In reply to: Sick&Tired: "99.9 % of Software/Hardware Firewalls DO-NOT....."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
