Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....

From: whoever (whoever@wherever.com)
Date: 12/29/01 

From: "whoever" <whoever@wherever.com>
Date: Sat, 29 Dec 2001 11:35:42 -0600

"Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
news:e85c6e9a.0112290703.b1c3b42@posting.google.com...
> "whoever" <whoever@wherever.com> wrote in message
news:<3c2d0f3a$1_3@nopics.sjc>...
> > I'm highly curious about items #2 and #3. For example, since MAC
addresses
> > are a layer 2 issue (i.e., a LAN issue) and not layer 3 (i.e., IP
routing),
> > I'm curious how anyone could be exposed to this from the outside, where
a
> > firewall is presumably protecting you. If you're saying that MAC
address
> > spoofing is possible, I agree. Even so, it can be greatly minimized by
> > proper security on LAN switches. However, it is NOT POSSIBLE on the
> > Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. I
implore
> > you to find anyone's MAC address by sniffing packets on any Internet
router
> > around. Do you know what? You won't find any, because there aren't
any.
> > Therefore, you're supposition about #2, from the standpoint of an
outside
> > hacker looking to get in, is absurd.
> >
> > Concerning ICMP and DOS attacks in general. Have you not read about the
> > latest invention in prevention? It is called an ACL. It's a wonderful
tool
> > that has only been in existence since the first Cisco router. It allows
you
> > (or better yet, your ISP) to selectively block traffic destined to a
port,
> > or to an address, from a port, or from an address, or any combination of
the
> > four. If I have a single connection to the Internet, and my ISP blocks
ICMP
> > (or whatever, it could be simple SYN packets to a web server) from a
> > specific address, group of address, or to a specific port, the DOS issue
is
> > gone. Period. End Game. Done. Am I making myself clear?
> >
> > As for #1, I'm sure anyone who subscribes to this list, and who has ever
> > configured a router, will tell you that one of the first commands to
install
> > is NO IP (^?)S. With that, #1 is fixed. Done. Period. End Game.
> >
> > "Most firewalls do not come preconfigured to block Private Addresses,
nor
> > IANA, or the Experimental IP Addresses from 239.000.000.000 -
> > 255.255.254.255"? Read the second paragraph concerning ACLs. Done.
> > Period. End Game.
> >
> > "Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
> > their Operating Systems either are not configured to use them, or don't
know
> > how to handle them properly. This is especially true for installed
> > software/hardware on computers using their own "CUSTOM ROLLED
PROTOCOLS",
> > thus, bypassing the firewall, or, as a techy term, TUNNELING through the
> > firewall behind your back"? Bull***. In the world of ZA, BID, and
NIS,
> > maybe. But not in the world of FW-1, or Gauntlet. Get your facts
straight.
> >
> > "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"?
Do
> > you even know how DNS operates? If I request the address for
> > www.whatthefuckeveryourludicrousmindthinks.com, how am I supposed to get
> > that address? Do you think that DNS UDP might be necessary for such a
> > conversation to take place? Do you know that every piece of DNS
software on
> > the market has a setting to allow transfers from/to only certain IP
> > addresses? Do you know that most commercial firewalls can help
alleviate
> > this problem you attempt to squawk about, much like chicken little ran
> > around exalting "the sky is falling, the sky is falling"?
> >
> > "Contact your State Representatives in order to get some serious Bills
> > passed to REGULATE Firewall Companies, IDS companies, or any company
that
> > boasts protecting people while they
> > surf the web, or do business via the Internet". From the organization
that
> > brought us Bill Clinton, Gary Condit, and Al Gore, you want to entrust
the
> > security of every private company's data? You, sir, are an idiot.
> >
> > "Sick&Tired" <lililmanlilii@yahoo.com> wrote in message
> > news:e85c6e9a.0112262006.577013f0@posting.google.com...
> > > 99.9 % of Software/Hardware Firewalls DO-NOT cover the below
> > > Vulnerabilities/Exploits that Hackers use to get into Public
> > > or Private Servers, or Public PC's used by citizens when
> > > accessing the Internet:
> > >
> > > 1. ARP/RARP (Used to Circumvent Routers via redirtects)
> > > 2. MAC Addresses (Man-in-the-Middle MAC Spoofs)
> > > 3. ICMP (Denial of Service and many more)
> > >
> > > The above is just 3 examples on how nasty people can use
> > > firewalls against itself, or, at the very least, not cover
> > > the important features that need to be blocked, by DEFAULT,
> > > in order to help stop the insanity on the World Wide Web.
> > >
> > > Here are some other examples that most Software/Hardware
> > > firewalls do not block or even have a clue on what to
> > > do with itself:
> > >
> > > Most firewalls do not come preconfigured to block Private
> > > Addresses, nor IANA, or the Experimental IP Addresses from
> > > 239.000.000.000 - 255.255.254.255. Typically called
> > > IP Spoofs.
> > >
> > > Most firewalls are not blocking, or even asking to permit
> > > most Protocols that are assigned....properly.
> > >
> > > Most firewalls are not smart enough to block UNKNOWN
> > > PROTOCOLS, because their Operating Systems either are
> > > not configured to use them, or don't know how to handle
> > > them properly. This is especially true for installed
> > > software/hardware on computers using their own "CUSTOM
> > > ROLLED PROTOCOLS", thus, bypassing the firewall, or,
> > > as a techy term, TUNNELING through the firewall behind
> > > your back.
> > >
> > > ------------------------------------------------------------
> > > Some firewalls even permit DOMAIN Exploits by using
> > > your DNS.....for IT'S OWN PURPOSE, BEHIND OUR BACKS.
> > >
> > > Speaking of DNS: Did you know that the (#1) way to get
> > > into your computer is through DNS? Yes, that is correct
> > > pilgrim. Disgruntled workers at your ISP, and even hackers
> > > that bust your ISP to gain entry via DNS UDP, or worse
> > > yet, DNS TCP for Zone Transfers.
> > > -------------------------------------------------------------
> > >
> > > Mix this in with Operating System Exploits, and one would
> > > get a feeling that we have been at war since the Digital Age,
> > > but blinded by Technology, for Easyology, in our daily lives.
> > >
> > >
> > > Remember......these are just a FEW examples.
> > >
> > >
> > > Let's all start 2002 on a good note. Contact your State
> > > Representatives in order to get some serious Bills
> > > passed to REGULATE Firewall Companies, IDS companies, or
> > > any company that boasts protecting people while they
> > > surf the web, or do business via the Internet.
> > >
> > >
> > > Let's start by making 2002 more safer, shall we?
> > >
> > >
> > > Sick&Tired
>
>
> Your MODEM, be it Cable/xDSL has a MAC ADDRESS exposed before any Firewall
> which is also displayed in your packets via IP.

Oh, really? What is my MAC address? I have DSL. Post my MAC address, of
either the DSL gateway or my PC. I don't care which. Just post it. Then,
if there is truly a security issue, do something with that information.
Anything. I've got a software firewall. If you can do something with that
MAC address and use it to "penetrate" my firewall, I'll sue the manufacturer
and split the proceeds with you. Promise.

Besides, if I was a dial-up user, rather than Cable/DSL, what would my MAC
address be? After all, I wouldn't have a NIC. Then, would government
regulation of firewall producers be unnecessary? My God, come to think of,
you might have an answer to all our security problems. Let's get rid of all
permanent internet connections and make them all dial-up. In fact, since
MAC addresses are evil, let's get rid of LANs as we know them. Let's put
modems in every device and have them call in to giant access servers to
share files locally. After all, we'd be insulated from the "MAC address
boogeymen" then, wouldn't we?

My Cisco routers at work have MAC addresses on the Ethernet ports. Can you
tell me those? What about the serial ports? Do you think those ports have
MAC addresses?

One of those routers is a gateway router to the Internet. Can you give me
its MAC address? Please do so and enlighten us as to your bizarre
assertions. Have you tried running ARP across the Internet?

>
> Cisco Routers are overplayed, not secure enough, and their falling stocks
> this year prove that.

As opposed to what telecom and/or tech-hardware manufacturer company's stock
price this year? Would you propose Nortel? Any hardware/software
combinatioin is a secure as you, or, in your case, someone more talented
than you, make it.
>
> FW-1 and Gauntlet have been broken in the past, and your point, well,
there is
> no point is there?

"Most firewalls are not smart enough to block UNKNOWN PROTOCOLS, because
their Operating Systems either are not configured to use them, or don't know
how to handle them properly", was, I believe the original context.

What UNKNOWN PROTOCOLS? Do you mean "IPX", "PPTP", "GRE", "L2TP", "serial
port protocols", "ATM protocols", "IGRP", "EIGRP", "AppleTalk", "HDLC",
"BGP", or any of the thousands that I could readily name, and, while
obviously UNKNOWN to someone with your intellect, are definitely not UNKNOWN
to the rest of the working IT community. Please enlighten us with an
example of an UNKNOWN PROTOCOL that a firewall can't handle properly.
>
> No, you do not know how DNS works....obviously.

Oh yes, my friend, I do.
>
> I love chicken......
WTFC?