Hi I've found an interesting Program to check firewalls. It demonstrates the ability to connect to internet via other programs which are allowed to connect. (Trojan Horses) Is it possible to block the program from accessing the internet via a stand-alone router ? http://www.pcinternetpatrol.com/downloads/pcaudit.exe Is this simply a program to panic users or is there a serious danger ? Regards Michael
Hi Michael,
I've found an interesting Program to check firewalls. It demonstrates the ability to connect to internet via other programs which are allowed to connect. (Trojan Horses) Is it possible to block the program from accessing the internet via a stand-alone router ?
--> A router cannot detect which program sent the package. It can deny access to certain IP ranges and/or certain port ranges.
http://www.pcinternetpatrol.com/downloads/pcaudit.exe Is this simply a program to panic users or is there a serious danger ?
--> I think it is to a large extent a program to panic users and promote the selling of their firewall. Once you download a program and install it on your computer, it can use the network. And you do not want to block ALL outgoing connections. If you have a very strict security police though, you can configure the firewall to only let browser "A" access ports 80,443 on the net and only SSH-client B to access port 22. But this will restrict your users and give them problems when using a different browser, an WWW server on a different port a.s.o. The important point IMHO is to teach users not to download programs from the internet without thorough checking of the intention of the program. And of course not to click on suspicious links or open Email Attachments. Regards, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
--> A router cannot detect which program sent the package. It can deny access to certain IP ranges and/or certain port ranges.
Not tru for all routers. Cisco routers have an add in feature to the IOS called NBAR (Network Based Application Recognition) Which allows you to set up ACL's, CAR, traffic shaping etc based on the application type. Makes blocking things like kazaa and gnutella very very simple. No reason why you couldn't use it to weed out traffic that is not deemed wholesome. B
Hi Armin
I've found an interesting Program to check firewalls. It demonstrates the ability to connect to internet via other programs which are allowed to connect. (Trojan Horses) Is it possible to block the program from accessing the internet via a stand-alone router ?
--> A router cannot detect which program sent the package. It can deny access to certain IP ranges and/or certain port ranges.
Ok - this was a clear point. And what about standalone firewalls (i.E. SuSE Firewall) ? I think, to block such internet access is only possible with an client-based firewall, which knows the programs and dlls which are allowed to access the net ?
The important point IMHO is to teach users not to download programs from the internet without thorough checking of the intention of the program. And of course not to click on suspicious links or open Email Attachments.
I think the only posibility to avoid such dangers is to prevent users from downloading ANY program ;-) This little demo program works without installing it :-/ Regards Michael
Hi,
--> A router cannot detect which program sent the package. It can deny access to certain IP ranges and/or certain port ranges.
Ok - this was a clear point. And what about standalone firewalls (i.E. SuSE Firewall) ?
--> As pointed out already, there may be some change to guess from the content of the packets which application is behind. But this applies for SuSE Firewall as well.
I think, to block such internet access is only possible with an client-based firewall, which knows the programs and dlls which are allowed to access the net ?
--> Yes. A nice one for windows is "Personal Firewall" it can display pop-up windows for packets that do not match any rule and you can restrict internet access to certain applications (they are identified by md5 checksums so even naming a trojan "netscape.exe" won't help).
The important point IMHO is to teach users not to download programs from the internet without thorough checking of the intention of the program. And of course not to click on suspicious links or open Email Attachments.
I think the only posibility to avoid such dangers is to prevent users from downloading ANY program ;-)
--> Yes, but I guess in most places this is not an option as it means restricting net access very much. Think about naming a file "program.html" and then save it as "program.exe". It would require a real content-check based on "magic chars" in each document that is retrieved from the net. Cheers, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
--> Yes. A nice one for windows is "Personal Firewall" it can display pop-up windows for packets that do not match any rule and you can restrict internet access to certain applications (they are identified by md5 checksums so even naming a trojan "netscape.exe" won't help).
--> Sorry, this should read "Kerio Personal Firewall". Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
I'm having success with "Outpost Personal Firewall". Free for business use (well, the old version is...) http://www.agnitum.com/download/OutpostInstall.exe It appears to do much the same as Kerio. Tom.
-----Original Message----- From: Armin Schoech [mailto:armin.schoech@web.de] Sent: 17 May 2004 12:50 To: suse-security@suse.com Subject: Re: [suse-security] Firewall Check
--> Yes. A nice one for windows is "Personal Firewall" it can display pop-up windows for packets that do not match any rule and you can restrict internet access to certain applications (they are identified by md5 checksums so even naming a trojan "netscape.exe" won't help).
--> Sorry, this should read "Kerio Personal Firewall".
Armin
-- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi! For better understanding firewalls here's something about the mechanisms - not to confuse somebody, but to show the difference. A windows "personal firewall" has nothing to do with a linux firewall (only the xp pers-fw using simmilar techniques).
I've found an interesting Program to check firewalls. It demonstrates the ability to connect to internet via other programs which are allowed to connect. (Trojan Horses) Is it possible to block the program from accessing the internet via a stand-alone router ?
A securely configured firewall only let's your pc's connect to the internet - nobody else, if not wanted. The portfilter filters well known (0-1024) and unknown (1025-65535) ports, protocols tcp, udp, igmp [...] nat, snat [...], connectiontracking (http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html) and routes networks. Not more not less (e.g. smoothwall without any extra-services)!
From here you will say everything is equal as it looks, but can you pers fw filter Ethernet-addesses or do traffic-accounting?
The above software is maybe a nice check, but looks like fake - it talks only about internal security of windows and wants to sell a product (http://www.pcinternetpatrol.com/downloads/ind.php). Normally the simple XP personal Firewall (an example of a simple connection tracking fw) and a virusscanner are enough for single-home-pc-users. If you have DSL or more than 1 pc you choose a firewall. If you want to check your firewall use GFI Languard or other checking-software testing for exploits. The big plot is, that IE is the biggest hole in security (and strange "third-party-plugins"). If you allow IE to access internet (without a dll-check) you allow a lot. Next you can program a software to directly close a popup, after it appears and always say yes to any question (i think with window-handler). There are many many more reasons, why a personal firewall will not work that secure...this is used by such pseudo-testers. Why is a firewall secure? Not because of the fact, it blocks ports: Because it is not build inside a pc (no one except the admin knows what's running on it and how he setup the box)! Most people mistake linux-based firewalls with Personalfirewalls on Windows. Personal Firewalls on Windows are no real security, because they run on the same box, the OS runs on and have more or less the same security the OS has or see the small example for IE (above). It is a nice thing to have a personal firewall, kerio does work nice and has implemented nice features: md5 checks for apps, check which software access internet and checks which 3rd party is used to access the internet combined with a simple web-content-filter. In larger companies that is not enough - you cannot rely on a firewall, that is installed on each pc (even if ms makes you believe). You can get this security features on modern firewalls combined with other software: WWW: - transparent-proxy-filtering: squid -> dans-guardian -> lan ("good site" access, "bad site" denied) Webaccess cannot be gained without the filter, because the firewall redirects www-port. - webproxy with virus-filter: squid -> dans-guardian -> AV-Engine -> LAN (filter good and bas sites, scan virus) SMTP: postfix or any other mail-server & av-scanner & spam-filter Samba (not on firewall or in DMZ): smb-vscan (av-engine for samba, but experimental) Services: A Firewall shall only run the services, it minimal needs (e.g. ssh, squid, smtp, caching-dns, dhcp). Security of the firewall: kernel without lkm, no compiler, no make ... or on a separate storage for installation/update only (e.g. usb-stick) chroot services (http://www.ss64.com/bash/chroot.html) capabilities - kernel access rules denying even for root, if desired (even available for high costs for windows) ids - check, if something changes (most times included in persfw) depending on the level of security: report critical data via sms - be up2date switches or connectors with port learning function (hardware-solution) a firewall before your firewall (double-nat) [...] There are several other approaches, e.g. a firewall with an authentification-system: http://www.nufw.org/ For linux I saw somewhere even an app-based firewall like the personal fw's (don't know, if this works).
Ok - this was a clear point. And what about standalone firewalls (i.E. SuSE Firewall) ? I think, to block such internet access is only possible with an client-based firewall, which knows the programs and dlls which are allowed to access the net ?
http://www.it-analysis.com/article.php?articleid=8773 http://news.zdnet.co.uk/hardware/emergingtech/0,39020357,2099013,00.htm The personal firewalls try to do the same thing a secure linux-server does and make you think it has the same security-level. No it has not, neither knows windows nothing about any of this features (or it will be very expensive)! If you like install it as extra benefit, but don't trust on it 100%. Simple in-a-box firewalls for dsl have most of this security-benefits build in, but have to be up-to-date - some have even dans guardian inside.
The important point IMHO is to teach users not to download programs from the internet without thorough checking of the intention of the program. And of course not to click on suspicious links or open Email Attachments.
<fun-tag> Or much more easy in one step, let them sign terms of use for your network. Make them frightened and tell something of: "In case of damage, caused by a client the client has to pay." :-) </fun-tag> Well that will not work (there are too much tele-tubbies).
I think the only posibility to avoid such dangers is to prevent users from downloading ANY program ;-) This little demo program works without installing it :-/
Nothing easier, than this: Install Dansguardian and block your desired Extensions (e.g.: .exe, .com, .zip, .pif, .xls, and dot-whatever). If you want to have less work with your users: No CD, DVD & Floppy in any PC (don't forget to disable USB and to protect the bios with pw), use Corporate-AV-Solution and Dansguardian & av-plugin. I know this is unfair, but the question is, what costs more? Philippe
participants (5)
-
Armin Schoech -
b@rry.co.za -
Michael Rauter -
Philippe Vogel -
Tom Knight