Re: How good are personal hardware NAT firewalls?
From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 10/28/02
- Next message: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Previous message: Karl Levinson [x y] mvp: "Re: How good are personal hardware NAT firewalls?"
- In reply to: Michel Gallant (MVP): "Re: How good are personal hardware NAT firewalls?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Oct 2002 12:41:41 -0500 From: "Michel Gallant (MVP)" <neutron@istar.ca>
Forgot to mention that the web filter "deny Java" DOES successfully
block jar archives (probably .jar urls).
So, to summarize Java blocking effects:
LinkSys BEFSX41
---------------------
- blocks .class file url accesses
- blocks .jar file url accesses
- passes .cab file url accesses
Note that this blocking appears to be http protocol only.
So, ftp inbound .class files are NOT blocked by this filter.
- Mitch
"Michel Gallant (MVP)" wrote:
> "Karl Levinson [x y] MVP" wrote:
>
> > "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
> > news:3DBD4CC9.9EB1B418@istar.ca...
> > > I am interested in getting experienced comments on how good
> > > personal firewalls like the LinkSys BEFSX41 are:
> > > http://www.linksys.com/products/product.asp?grid=23&prid=433
> > >
> > > With the *default* configuration, no inbound ports are open (i.e.
> > "port-forwarding").
> > > Also, this particular LinkSys firewall claims:
> > >
> > > "Protects PCs from Ping of Death,
> > > SYN Flood, Land Attacks, IP Spoofing, and Other DoS (Denial of Service)
> > Attacks
> > > Supports Up to Two IPSec Virtual Private Network (VPN)Tunnels
> > > Supports URL Filtering and Time Filtering
> > > Blocks Java, ActiveX, and Cookies "
> > >
> > > I wanted to get some details on the final item (does packet filtering
> > check
> > > for .class file, object tags, .ocs, .cab etc.. in the data sections of
> > inbound packets?)
> > > from LinkSys but they will not disclose that level of technical detail?
> >
> > I doubt it does this. It probably just blocks based on port number. I'm
>
> I don't think that this is correct. The port number (typically port 80 for web
> server) is not blocked. The firewall evidently searches for reconnects and
> a url of type http://originalserver/somepath/somejavabytecode.class
> so it probably filters at the url request level, based on ".class" and variants.
> The container page certainly loads.
> Note that the BEFX41 does NOT filter out .cab files; hence all my signed
> Java applets (IE only supports Authenticode signatures on cab files containing
> class files) pass neatly through the BEFSX41. This is probably so that
> installer urls (like .cab updaters) don't get screened.
> So, the befsx41 capability to block simple .class url requests is not too useful,
> since there is typically a pretty good sandbox already for various JVMs, not-withstanding
> some known vulernabilities :-)
>
> >
> > not familiar with the new BEFSX41, but previous models didn't even allow you
> > to write packet filtering rules, and they were pretty near useless at
> > blocking any outbound traffic, so that you are still vulnerable to trojans
> > and remote access tools such as Back Orifice through the firewall. This is
> > somewhat serious, though you still get logging of outbound traffic.
>
> the befsx41 has some extended packet filtering and other stuff not available
> on the more basic befsr41. Also, there is not to-file logging capability (ref.
> comment below)
> - Mitch
>
> >
> >
> > Note that you will also want to use a free syslog client to capture the
> > logging to a PC, or else the logs disappear every few minutes / seconds.
- Next message: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Previous message: Karl Levinson [x y] mvp: "Re: How good are personal hardware NAT firewalls?"
- In reply to: Michel Gallant (MVP): "Re: How good are personal hardware NAT firewalls?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
