Re: Ports getting hammered?


"Duane Arnold" <No@xxxxxx> wrote in message
news:u1Wuf.5849$nu6.3112@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> "Somebody." <somebody.@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:hYSuf.8388$43.1353@xxxxxxxxxxxxxxx!nnrp1.uunet.ca...
>>
>> "Duane Arnold" <No@xxxxxx> wrote in message
>> news:YfSuf.3070$Hl6.311@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>>
>>>> 1. it's not on the list of allowed outbound ports/protocols
>>>> 2. it's on the list of blocked outbound ports/protocols
>>>> 3. it's not on the list of allowed destinations
>>>> 4. it's on the list of blocked destinations
>>>> 5. it contains traffic that can be identified as problematic based on
>>>> signature (deep inspection)
>>>> 6. the behaviour of the traffic can be identified as nefarious
>>>> (metrics, threholds, or profiling)
>>>> 7. combinations of the above methods
>>>
>>> Not to be smart here but my Watchguard is not just going to start
>>> blocking outbound from some machine that it has determined that outbound
>>> traffic is dubious in some nature - automatically. Maybe some of the
>>> higher end models can do it but I don't have one of those. The only PFW
>>> solution that I know about that will stop outbound on its own based on
>>> some kind of traffic analysis of protocols being broken is Blackice in
>>> conjunction with using IPsec running on the machine. That traffic that
>>> was being blocked outbound just happened to be the query by the XP O/S
>>> to the MS site for time sync that the XP O/S was having trouble at the
>>> time, which I told BI to accept the traffic and forget about it.
>>>
>>> I am aware of ZA and have used it. And I know that ZA is not stopping
>>> outbound on its own unless some rules are being set to stop it. It's not
>>> just going to start blocking outbound on its own and many of them cannot
>>> do it.
>>>
>>> Duane :)
>>
>> Well to be honest I'm not fully up on most software firewalls as I don't
>> believe in them as a genre. I run one sometimes to support clients that
>> in fact does inspect traffic for nefarious content and can utilize most
>> of the techniques I noticed including recognizing signatures of outbound
>> traffic. It's the FortiClient which is the FortiGate's IPSec client.
>> That's what my comments were based on.
>>
>> If your Watchguard can't stop outbound traffic... is it really useful?
>> Would not the Windows XP firewall do exactly the same work?
>
> My WG can stop inbound or outbound by setting rules by port, protocol and
> IP WAN or LAN IP(s). What it can't do is start doing some kind of protocol
> analysis to see if protocols are being broken only a IDS application in
> system can do that. Now if the FW solution host based or otherwise has an
> IDS element to it, then more power to it.

My PFW has an IPS built in, supporting around 1300 attacks. So, it can
recognize and stop nefarious traffic that is going over allowed ports,
protocols and IPs.

>> As far as the appliance-based approach, the FortiGate firewall line in
>> fact uses all the methods I mentioned and more to stop outbound traffic,
>> no matter who solicits or initiates it, and it can't be compromised by
>> the malware itself. Which is what makes that approach superior to a
>> software based firewall approach.
>
> I am not going to be depending upon any solution appliance, host based or
> otherwise to be making some kind of decision as to when it's going to stop
> inbound or outbound based on some algorithm it maybe using on its own that
> has been predetermined by some programmer. BTW I am a programmer that's
> what I do for a living is write programs. If I set rules for a FW host
> based, appliance or otherwise to do something to filter packets inbound or
> outbound, then it had better well do it.
>
> I am the one who is the determining factor by reviewing logs for traffic
> patterns, what's dubious or not dubious in nature and where traffic is
> being sent to or coming from.
>
> The buck stops with me and not some program in the determination as to
> what is happening.. I may use tools to help me make that determination.
> But the buck stops with me and no where else.
>
> Duane :)

On the appliance, the entire set of attacks can be fully customized, one by
one. They can be enabled or disabled, they can be set to drop the bad
packets, kill the session, or send a reset to one or both ends. Smart
people review their logs and the default configurations to decide what they
want to let through and what they don't. Some data types are exempted from
scanning, some are not. Some are subjected to deeper or different scans
than others.

You are taking the position that you don't want to see or know about these
things, becuase your tools cannot inspect the data going over the permitted
ports and protocols. All your programming skill in the world will not save
you from in-band attacks when zero-day exploits hit the wire for products
you use. Until the vendors release patches, you're open. In the other
direction, nefarious software installed by nefarious means or rouge users on
your machines are free to communicate out over common ports such as 80
without impediment, in plain view of your logs.

I trust people that do this for a living to help me with such things while
the software vendors tell us that the vulnerability is theoretical only. I
gain visibility into the data streams and types going through my firewalls,
be they common ports or not.

I temper that with a dose of reality and the ability to read the logs and
modify the configuration as need be, based on what really is and is not
allowed over the wire by the firewall rules and the data types traversing
them.

-Russ.








.

Relevant Pages

  • Re: Ports getting hammered?
    ... >>> If your Watchguard can't stop outbound traffic... ... >>> Would not the Windows XP firewall do exactly the same work? ... >> protocol analysis to see if protocols are being broken only a IDS ... >> own that has been predetermined by some programmer. ...
    (comp.security.firewalls)
  • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
    ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
    (microsoft.public.win2000.active_directory)
  • Re: black ice usage question
    ... It relies on it's application control for outbound protection. ... restrict the entire machine from accessing certain ports either. ... firewall will allow the user to restrict all access to only the ports ...
    (comp.security.firewalls)
  • Re: Firewall of SP2 is good?
    ... >> PFW solutions and some people do consider App Control a limited means ... then it cannot send any outbound traffic. ... > connections to an application. ... The firewall does NOT stop any ...
    (comp.security.firewalls)
  • Re: Network Firewall/Routing Solution
    ... > for a good solution to route inbound and outbound traffic. ... > firewall combo boxes that linksys sells, and I really don't want to run ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)