Firewalls Useless?

I hate it when that happens myself (luckily it hasn't happened to me here in several months).

Okay, just requesting clarification as to which subset you were referring. Just quickly re-checked my numbers for the last month. Well over 70% of the probes I see can be immediately ascribed either to my ISP, Worms, or P2P. Half of the remainder all skiddies, in all probability. It's only after digging through all this that the truly interesting stuff turns up.

But I think your last statement is the interesting one! (I was trying to hold this back, but I suppose I might as well mention it now.) Yes, it's the record that I find interesting. And relying on ICS produces no record (a hardware router could be enabled to do so, of course). It's that ability to peer under the hood and see what's happening that I find so interesting, but many of the PSFs are sorely deficient in this capability and we have to rely on third-party log analyzers to do this. Indeed, for those who haven't already picked up on it, that's one of the reasons I stopped with NIS 3/4 -- in those contexts I have a good log analyzer; in NIS 6, the capability is pitiful. Of course, an IDS would also provide this capability (and even better, I might add), but they're not well understood (apparently) in the community at large.

Yes, and no. Sure, they'll ride in if you give them the chance on IM programs, P2P programs (including, now, the RIAA, I note), chat utilities, but they will also ride in on your newsreaders, e-mail clients and even your browser -- if you give them a chance. For the most part, a traditional firewall (hardware or software) isn't going to stop this. And when I say 'traditional firewall', I'm talking about what CrazyM brought up in another thread, not one of the 'latter day' firewalls with all sorts of additional bells and whistles. If you Internet-enable Windows Explorer (especially the good ole web folders), your word processing or spreadsheet or DBMS app, they'll be perfectly happy to ride in on those, too!

It's not necessary to give these applications 'server rights' for them to do this, either. (And I fear that far too many PSF users think that's the magic bullet to avoid.) All you have to do is give any of these apps more or less unrestricted client rights and you can very easily end up as dead meat. You go 'somewhere', you request something. If it's the 'wrong place', you're just as vulnerable as if you're running the app in server mode. You asked for it? You got it! Uh-ohhh. What's the solution? Well, that's why many of the PSFs are now moving beyond traditional firewall protective measures (but only if those additional methods are invoked, of course). And, for the most part, many of these 'other' protective measures have been available for sometime from non-firewall utilities (including in some instances existing OS utilities). For example, you just gave me a gold mine in your following comment.

Okay, I hit this one hard -- must have been two years ago -- with all of Steve Gibson's ballyhoo about Leaktest. Can you identify a single exploit (before or since the Leaktest freak-out) that relied on tampering with the main executable for which a firewall rule had been set? I can't; I've asked (repeatedly); if one is out there in the wild that actually tries to do this, I've never heard of it. (Of course, there's probably not gonna be one now, either. )

But, Is a software firewall the only solution to this problem; and, indeed, is a software firewall a solution to this kind of problem? No, (on both counts).

Again, I've never seen or heard of a 'masquerading executable' identified in the firewall ruleset and I've asked. What I have heard about is corrupted main OS utilities (technically, having no Internet access capabilities whatsoever), and I have heard about corrupted DLLs, OCXs, VBXs and SYS files used by such utilities. In the former case, I've got a guy who sat there and watched his DUN monitor go crazy with outbound traffic (this on a stand-alone PC), while his software firewall showed no untoward activity whatsoever. In the latter case, MSIE (iexplore.exe) is nothing but a stub program; all the real work is done via DLLs , OCXs, etc. You bust one of these, you're good to go -- over the connections PERMITTed for MSIE itself!

Yeah, yeah, yeah, I know ... the newer releases of the major PSFs will also check for (and authenticate) the DLLs. Ummm, just which called routines are they checking; are they checking OCXs and VXDs and SYS files? Are they also checking core OS components? Are people actually using this functionality or are they being told to turn it 'off' because it's such a 'hassle' and raises so much havoc with throughput? All I can say is check the posts on these subjects. If it ain't on, it ain't working.

Now, (even if it's being used) the above functionality is not part of the core functionality of a PSF (and certainly not of a hardware firewall which doesn't even have access to such information). Is there nothing we can do about such problems? Of course not; that's where memory-resident registry monitors, AV/AT/Spyware/keylogger utilities come into play. There's also file authentication software which is far more sweeping in its power. (No, this is not a plug for NIS File Check; there are any number of freeware/shareware/payware alternatives to NIS File Check -- and I'm still trying to work my way through all of them.) All of these do a better, more comprehensive job that the latest generation of PSFs -- and they do it with far less of a performance hit.) I suspect (but at the moment cannot confirm) that this was part of what wizard was referring to. All of which brings us back to his statement about the incremental advantage of using a software firewall.

Finally, there's one particular threat against which the current crop of PSFs is largely useless -- these are the memory-resident (RAM only) exploits. For those who may have missed it, these have been 'out there' since at least CRv1 and CRv2. In this instance, there ain't no "file on disk" for an AV/AT/spyware/keylogger program to pick up. And it doesn't screw with the registry, so even a registry monitor isn't going to pick it up. The only solution (of which I am aware) to this vulnerability is to run a locked-down version of Win NT/2000/XP (and with non-supervisory privileges) while on the Internet. And quite frankly, I'm not going to maintain that even this is sufficient.

Disagree. the kinds of threats I'm talking about here ride piggy-back on the existing authorized application, using the ports and IP addresses for which the authorized Internet-enabled application has been authenticated. That's precisely what CRv1 and CRv2 did; indeed, it's precisely what most of the e-mail borne viruses and worms do. A standard firewall (hardware or software) has no capability whatsoever to 'block' these communications. You have to go to the exotics and you have to have the functionality enabled (assuming it exists in the first place).

Agreed, no argument whatsoever.

I never took your comments any other way. For those who may be wondering (and haven't figured it out yet), someone (who shall rename nameless) asked for someone to take the counterpoint in this discussion. I waited, no one else really picked up on it, so I decided to do it. (Yes, I do use a PSF, but we'll get to why much later in this thread.)

I think we all know that at least 90% of the people frequenting this forum use some sort of firewall. Most of the remaining 10% would probably take a look at the question that scotcov initially posed and simply say "Why bother? I'll be here for the next ten weeks!"

You've seen the "Of course, you need a (software?) firewall!" responses already. But, if I turn to you and ask "Why do you need a software firewall?", I'd really like to think you could provide a better answer than "Well, I asked in Wilders/GRC/DSLR Security and 90% of the respondents said I did!" In all honesty, that's not much of a response (and it don' sell real well if that's all you can say to your spouse, co-worker, or friend). So, yes, I'm playing counterfoil here. I don't really care if you agree or disagree with my position; I want you to think, decide, and then be able to defend your decision.

There are alternatives to a PSF (I think luv2besecure or LowWaterMark may have referred to them) and I think that wizard may well be basing a certain amount of his initial statement on the fact that many of them are readily available as freeware/shareware. Indeed, quite some time ago, I wrote a rather sardonic response (was it to Name Game, our very own PrimRose?) in the DSLR SEcurity Forum as to how one could live perfectly safely without a PSF. This solution is hardly for Joe User, however. I also initiated the "Stealthed vs Closed" debate in the DSLR Security Forum. While I have my own opinions on the value of 'Stealth', my primary intent was to make people think about just how much Stealth was really worth.

To me, your questions represent an "Inquiring minds want to know (understand)" position. I have used you as a foil (and I think you know that), but I'm not trying to convince you that I'm right and you're wrong. I'm simply trying to lay out an alternative so that you can make an 'informed' decision and then defend it, whatever it may be.

Peace.

 

I read Scotcov's post that started out this whole thread 5 minutes after he edited it on the 24th.. I also had read before that which wizard had written and took nothing he said out of context. I thought about responding to Scotcov at that time, but the coffee was ready and I had to help 3 people clean up the trash the last software firewalls they were massaging... left on their system.

Now JV is taking my name in vain ;-)


Scotcov,
If you want to know how the Internet really works and also give yourself time to fully understand your OS and its architecture (No matter what you are running or who built the boxes) get yourself a software firewall and knock yourself out.

When you think you have it all figured out..;-) dump it.

It is really that simple.

MOST of the things that will get to you will be c o ckpit error and the rest you will be letting in the front 6,500+ doors all by your lonesome without any help from a hacker, an attack... much less any spyware or governmental entity trying to checkup on your mental/physical/ or spiritual health in cyberspace.

When you are satisfied you are ready:
Do not rely on third party software for what you KNOW can be solved with knowlege of your own OS. Do not run it "out of the box" after you understand how to customize it.

Best of Luck,

John

 

Why remain nameless? It was ME! And I'll never regret it. You have made us think, and that's good.
Scotcov

 

JVM,
your detailed and in depth posts are appreciated more than you know. You do shed some light on some issues using Firewalls. You are also very knowledgeable in this area and I'm glad you responded as such !
And you can use my posts to continue the "foil" anytime !

Did I learn something here ?? Absolutely !!

Will I continue to use a software Firewall ?? Absolutely !!

And of course for your time and effort, a Karma (applaud of course!) is in order for you, from me and probably a few more posters .

With kindest regards,
bill

 

Great disscussion

Yea, being a client is bad. allows connection but on the other hand, being a server is worse. You then allow yourself to be part a a bigger
attack.
As for only relying on your OS to protect you. That is not possiable with
anything but NT. You sure couldn't lockdown your system with 98
or ME. Maybe you were refereing to a non Windows OS? I know
Wizard was. If I had to chose another ptogram and it couldn't be an AV or firewall ,,,
the only type program I would concider running without anything else is a file checking program. One that compares the files signature.
And preferably one that warns you when something has changed.
this does not stop the intrusion but sure lets you know you been had.
We are all keeping in mind this thread is speaking of a perfect world situation.
We aggree , our main goal here is to help all those that we can.
Education, Education, Education,
is a sales persons way of saying Location location location....
JVM How about refreshing RAM, Clearing RAM? over and over and over
A coded refreshing of the RAM.

 

My 2 cents....

First of all thanks to all who started and/or contributed to this discussion!

I’m still a little bit struggling with this:
“Finally, there's one particular threat against which the current crop of PSFs is largely useless -- these are the memory-resident (RAM only) exploits. For those who may have missed it, these have been 'out there' since at least CRv1 and CRv2. In this instance, there ain't no "file on disk" for an AV/AT/spyware/keylogger program to pick up. And it doesn't screw with the registry, so even a registry monitor isn't going to pick it up.“
If such an exploit is in your RAM, it must have come there in SOME way.
In which way? Couldn’t it have been picked up BEFORE it came in there?


I was expecting and hoping (grin) that Joseph would also bring this part to the discussion:
“the newer releases of the major PSFs will also check for (and authenticate) the DLLs. Ummm, just which called routines are they checking; are they checking OCXs and VXDs and SYS files?”


Were we talking about checking DLLs and EXEs with for example MD5-checking?
Then comes immediately the question how safe those checksums are stored!
It has to be done in a secure way! I have posted about that already in the past somewhere else.
OK, here goes again (although I might be repeating myself too much).


[hr]
How safe is a checksum stored?

Let’s say program P uses a checksum algorithm (like CRC32 or MD5) to check whether files have been changed.
Let’s say you want file F to be checked.
The first time you run program P on file F there will be a checksum C generated.
Then, after a while, you will check whether file F is changed.
So you run a second time program P on file F;
the algorithm used in program P makes a new checksum – let’s say C2 - ;
the checksums C and C2 are compared;
and then program P tells you whether file F has been changed or not, depending on whether C and C2 are the same or not.

So far so good, but the only way program P can perform this, is that it must compare these two checksums C and C2. That means that it after the generation of the first checksum C must store it somewhere….

Now I have a malicious program M (like some kind of a Trojan).
Malicious program M looks specific for file F and want to replace it with malicious file MF.
And malicious program M is made in that way that it already knows that changes in file F are being checked with program P. So it brings together with malicious file MF it’s checksum MC.
The only thing that malicious program M now has to do is to replace file F with file MF and replace checksum C with checksum MC.
And there is no way that program P ever can tell you that file F is changed…

Conclusion: the security that program P with its checksum algorithm can give you, depends heavily on the way how safe it stores checksums !

 

A simple multi-port scan

I thought it might be a good idea to give a simple example of a multi-port scan to those who may be reading this thread and may be a bit uncertain as to what we are talking about here. Luckily, someone was kind enough to oblige me, just this morning. I should add that I think this is probably the only one I've seen this month!

This illustrates probes on four distinct ports originating from one IP address. All four of these probes occurred in approximately 0.2 seconds. You'll also note that it's a 'singleton' probe on each port, not the kind of triplet that one might think was unintentionally been released by a Windows box. There's a distinct reason for this subset and, indeed, it (or something very similar to it) is probably the most common multi-port scan that I and several others have observed in the past few months.

I'm going to illustrate this with the detailed output available from Sven Schaefer's Log Viewer (for NIS and Linksys Routers); other log analyzers can do something quite similar for other software/hardware firewalls or routers.

Now, this is not Internet Background Radiation (IBR), by any means.

But, what does it signify and is it anything to worry me?

Well, it's not my ISP (that's for sure!); it's not some P2P file-sharing program looking for servers; it's not a worm (otherwise, I'd be seeing a lot more of it). It's probably not an entry-level skiddy who just got this neatso, keen tool, either.

• It could be a second-level skiddy, however.
• For that matter, it could be some perfectly innocent guy who just downloaded a certain nifty tool available from what is ostensibly a 'white-hat' site who's off on a crusade to save the Internet. (There are more of these than I care to think about.)
• And, finally, it might be someone who really knows what they're doing and is simply using this 'tool' to (more or less) innocuously pick up some tantalizing sites for future research.

At this point (and with no more information to go on), it's difficult to say which of the above three possibilities might be correct.

Now, in all probability, the first two classes of prospective users wouldn't know what to do with this information even if they actually found something open somewhere! (I think we can rather safely assume my IP address wasn't the only one scanned, under any circumstances.) But, the man/woman behind Door Number Three would definitely have a very good idea as to what was going to come next! (And nothing did in my case, not surprisingly.)

I should, I suppose, point out that this guy has not only been very active; he just blabbed his little activity all over the place! Check the MyNetWatchman event at http://www.mynetwatchman.com/LID.asp?IID=13036918 , for example. No serious cracker would do that, these days. So I would have to assume this is one of the guys/gals behind either Door Number One or Door Number Two.

But, more to the point, let's assume -- purely as a working hypothesis -- that this fella actually found something during the course of his (or her) little odyssey. Would I (or you) be any safer if I (or you) had a software firewall than if I didn't? And the answer is: No! Okay, now, who knows why I say that?

[Leaving this one as an exercise for the reader.]

Addendum That IP address is listening on Port 80, incidentally, but it does not appear to be running a publicly accessible web server. Guess what that probably means!

 

Does it mean he or she is comming tunneling through anothers server?
Ok How many guessing do I get here?

 

Darn it, controler, it was a trick question! I was sure you'd pick up on that one.

Yes, in this particular scenario, tunneling through anothers server could be a conceivable problem. I must admit I didn't think of that one.

And you get as many guesses as you want (as long as each response is correct)!

 

Re:Hardening Your OS

Joseph,

I believe you mentioned OS hardening as a security measure. I am curious how complex of tweaking that would be. As a lay user (non IT prof, etc), I have done the following:

1. Disabled NetBios on my Local Are Connections
2. Disabled all non essential services (image of services at start-up below). This prior loading any security software, I keep a batch file on my desktop to start those apps at once prior to connecting to the net.
3. Switch ActiveX and Java off on IE when browsing unfamilar sites

How much farther should I be looking? Any particular sites or tutorals you can point towards?

 

Joseph, are you getting paid by the word?

Good stuff all.

speaking about hardened OSes, for those who want to add a level of protection likely to be sufficient against most hackers and lesser deities (and have some spare loot):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

I hope to pick one up this summer.

 

Quote from Joseph Morris:

And so what are the answers?! I sure haven't figured it out!

 

Spyblocker?

 

Shoot, what a cliff hanger....come back JV and tell us the rest of the story.

 

Sig,

Well, I'm really not intentionally teasing; I'm just in the process of having a small war with Symantec over in DSLR Security. I can tell this is going to take a bit of time and attention to resolve.

There must be ten posts in this thread that already ask questions that I haven't had the time to get around to yet. Not to worry; I intend to pick up on every one of them.

 

I just took a look at DSLREPORTS FORUM for the first time. I see there is some posters from here that hang out there also.

JVM

Could you post the link to that discussion @ DSLREPORTS? or isn't that fair to WIlders?

I was interested in taking a peek at that thread over there also.

Thank You

 

Oh, there's quite a few posters here that also frequent (and post) on the DSLR Security Forum, including many of the mods and admins here.

I don't think there's any problem in doing this. On many occasions threads at DSLR Security are referenced here and threads here are referenced at DSLR Security. The specific thread in question (at the moment) can be found at http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat . The brouhaha is concerned with the last few postings in that thread as of 1344 EST on 7 Dec 2002. Feel free to watch that space for additions.

Can somebody fix that URL? I don't seem to be able to post it correctly?
Done

 

http://www.dslreports.com/forum/remark,5216811~root=security,1~mode=flat

Here is your fix..I tunnelled it through two of these puppies.

You get these in your post by hitting the thingie above with the world globe..


then you ever so gently in between the two "paste the link".

It takes a steady hand and a strong will...I do not think you will have any problem JV.

 

Danke, that's what I did; didn't work right here

Read the IM at DSLR about hardening an OS (above in THIS thread)? I still can't find the URL on my box.

 

I think it was the second one here...NO?? It has great screen shot and you have to hit the page thing at the botton to do it all.


To enable/disable services in Windows 2000
http://www.henrique.bucher.com/windows_services.htm


Windows 2000 Services Tweak guide


Much like previous versions of Windows NT, Windows 2000 also uses system Services. These allow support for other Programs/Hardware, etc. to run correctly. Or you can configure them to improve system security. By default Windows 2000 automatically runs many of these services & consumes more memory than it actually may need to for your particular needs, E.g. If you don't intend to use Task Scheduler or Fax Service, then why waste memory on running them automatically?

In this guide I'll cover what each service does & whether or not you really need it. Currently this guide is (still) the most comprehensive of it's sort (In terms of content & amount of Services covered). Now, onto the guide itself.

http://www.3dspotlight.com/tweaks/win2k_services/



Windows XP Services Tweak Guide
http://www.techspot.com/tweaks/winxp_services/index.shtml

 

Cool, JV, I'll check out the thread at dslr.

Primrose: (cute ID ya got there, lol) I recently joined the herd and got a new PC with XP and I've bookmarked a number of the links you keep posting re: svs and the disabling thereof (good to have them so readily available, thanks). That's part of my homework for getting this system to where I want it, as much as I can, that is. Looks like ports 135 and 445 can only be blocked by using a firewall of some sort? (I really mean, one cannot close these open ports without disabling required services?) If so, Boo.

 

Sig,

Just so you understand; I'm an "equal opportunity' bitcher. If I used Sygate, or Outpost, or Kerio or ..., well, the vendor would be susceptible to the same static.

Indeed, I suspect that many vendors are quite happy with the fact that I rely exclusively on the various releases of Symantec's NIS/NPF products.

 

I'm sure the other folks are indeed happy you stay with Symantec.

But it's good that you keep them on their toes. They're a huge presence in the market and a lot of their customers simply don't have the skills (or the will) to keep at 'em.

 

Although this is true, nevertheless, I'm still glad I have protection against "skiddies".
In life, a professional thief would probably never dare to break in where I live (it's too visible). Yet I still have a lock on my door for those stupid kids who would try anyway.
After wading through the theory, I like the practicality of having a firewall, as non-foolproof as it is (just as my lock on my door is non-foolproof).