Re: It seems every firewall is slagged as snake oil. So how should it be done?



Lie Ryan <lie.1296@xxxxxxxxx> wrote:
Ansgar -59cobalt- Wiechers wrote:
- A system that doesn't have any open ports, because it doesn't have
any services listening on the external interface, doesn't need a
personal firewall to protect the system from direct inbound
attacks.

A system is always vulnerable to ICMP DOS unless the firewall is
instructed to ignore and ignore ICMP packets.

DoS by ICMP usually is an ICMP flood, which means that the attacker is
sending so many ICMP packets that they consume the entire bandwidth of
your uplink. Dropping ICMP packets on the receiving side doesn't change
anything at all about that.

- A system that is properly patched isn't vulnerable to attacks
targeting the already patched bugs.

There is always zero days vulnerability. Having a firewall can help to
prevent these vulnerability, since most vulnerability assumed a
vanilla system.

Nonsense. If you need the service to be accessible, the firewall cannot
protect it, because blocking access would obviously make the service
inaccessible. And if you don't need the service to be accessible: why
are you running it in the first place? A service that isn't running
cannot be exploitet, no matter how many zero-day vulnerabilities it
might have.

- Personal firewalls cannot protect services that are supposed to be
accessible to begin with.

Personal firewalls should not be used for web server in the first
place.

Ummm... outside of your private reality there are a lot more services
than just HTTP. Which people may or may not need to access depending on
their current situation.

- When the user is working with admin privileges, personal firewalls
can be disabled from the inside, even if they employ rootkit
techniques.

That is true even for hardware firewall, and it is true for any kind
of protection. Even a moderately security conscious people would not
be as foolish to run as Administrator nowadays.

Pray tell how you think you can disable a firewall running on a separate
device (provided it's configured properly, i.e. UPnP disabled, no
default password, firmware up-to-date, etc.).

- Malware should be prevented from being run in the first place, not
from communicating outbound after it's already running. There are
various measures helping to achieve the former, including, but not
limited to: disabling autostart on removable media, using Software
Restriction Policies, setting appropriate "execute" permissions, or
running (up-to-date) AV software.

HAHAHAHAHAHAHAHAHAHA!!

What a laugh... I'm sure in your unfirewalled system there is a worm
that is currently contacting home, and you are CLUELESS about its
existence because your firewall didn't tell you (OOOOPSS I forgot you
don't have firewall).

a) Just because I'm not using a personal firewall doesn't mean I'm not
using a firewall.
b) Since I'm normally logged in with a normal user account, and I also
know how to use Process Explorer, netstat, TCPView, Port Reporter,
Wireshark and a variety of other tools, I'm pretty certain that my
system is not currently infected.

Fully updated antivirus? Do you think a "fully updated antivirus"
stand a chance to zero day vulnerability? A firewall has a much better
chance against zero days since it does not rely on signatures.

No, it doesn't. Because in the case of a service that doesn't need to be
accessible, you're better off shutting it down than just trying to block
access with a packet filter. And in any other case the system is already
hosed when the firewall detects the compromisation.

- The popups of personal firewalls are more confusing than anything
else, because in order to understand these messages, the user would
have to have a good understanding of both networking and Windows
internals. Which is quite uncommon with the target group of
personal firewalls.

I doubt that.

You can doubt that as much as you like. It doesn't change anything about
the fact.

If there is a program named autorun.exe trying to get access to
Internet, I'm sure anyone moderately computer literate will be
suspicious.

Do you believe he'll get suspicious when a program named iexplorer.exe
or iexp1ore.exe or ssvchost.exe is trying to access the Internet?
Really?

- The logging of personal firewalls usually is laughable, since vital
information is omitted.

How is no logging compared to some logging?

It's neither worse nor better. Insufficient logging is just the same as
no logging at all: it doesn't help, because you still lack vital
information.

On top of that, more often than not personal firewalls introduce
additional vulnerabilities on the system they're supposed to protect:

- Automatic network shunning (default with various personal
firewalls) can be abused by an attacker for a DoS attack.

Which is better than compromised system. Anyway, most personal
firewall can selectively block the attacker's IP address without
blocking the whole network.

Yeah. Especially when the attacker spoofs the IP addresses of your ISP's
name servers (or those of the root name servers). Right. Did you even
understand what I'm talking about?

- Some personal firewalls run interactive services with elevated
privileges, making them susceptible to shatter attacks.

Better than an unfirewalled system, which can be easily turned to a
zombie without any effort to do shattering.

I call bullshit. How do you plan to turn a system into a zombie, when it
doesn't have any publicly accessible services, and the users are working
with normal user accounts?

- Exploitable bugs in personal firewalls can be used to compromise
the system. This has already happened ITW (W32/Witty.worm).

A worm can only target a very small and specific set of firewall. In
the case of Witty worm, it can only break through ISS firewall, it
won't be able to break my Comodo's firewall or my Kerio's firewall. By
adding diversity, it makes it harder for worm to have widespread
impact. By having uniform configuration (i.e. all no firewall) it is
only a matter of time before the worm makes the next hops.

*sigh*

You didn't understand the problem at all, did you? Those systems were
infected *because* they were running a personal firewall. Had they not
been running a personal firewall but instead had their unneeded services
disabled, they would not have been affected by this attack (more
precisely: not only this attack, but any attack of this kind) at all.

And you dare calling the critics of personal firewalls ignorant?

And you dare calling yourself know anything about security?

A great deal more than you, obviously. Plus, I have at least some
understanding of networking concepts.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.



Relevant Pages

  • [Full-disclosure] PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and informa
    ... PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws within CheckPoint/Sofaware firewalls ... Vulnerability fixed: ... Please see our paper titled "Checkpoint/SofaWare Firewall Vulnerability Research", ... The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack when the page is displayed. ...
    (Full-Disclosure)
  • PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws
    ... PR11-07 Multiple peristent XSS, XSS, XSRF, offsite redirection and information disclosure flaws within CheckPoint/Sofaware firewalls ... Vulnerability fixed: ... Please see our paper titled "Checkpoint/SofaWare Firewall Vulnerability Research", ... The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack when the page is displayed. ...
    (Bugtraq)
  • [Full-disclosure] Artofdefence Hyperguard Web Application Firewall: Remote Denial of Service
    ... Vulnerable Software: Artofdefence Hyperguard Web Application ... Hyperguard is a latest-generation enterprise Web application firewall ... with attack detection and attack protection functions that are freely ... The vulnerability was confirmed in connection with the ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] Sidewinder G2
    ... Secure Computing Sidewinder G2 Firewall Stops New High-Profile Sendmail ... Technology Prevents Sendmail Attack Warned About in CERT Advisory ...
    (Full-Disclosure)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)