[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Firewall Check



Hi!

For better understanding firewalls here's something about the mechanisms -
not to confuse somebody, but to show the difference.
A windows "personal firewall" has nothing to do with a linux firewall (only
the xp pers-fw using simmilar techniques).

> >>I've found an interesting Program to check firewalls. It demonstrates
> >>the ability to connect to internet via other programs which are allowed
> >>to connect. (Trojan Horses)
> >>Is it possible to block the program from accessing the internet via a
> >>stand-alone router ?

A securely configured firewall only let's your pc's connect to the
internet - nobody else, if not wanted.
The portfilter filters well known (0-1024) and unknown (1025-65535) ports,
protocols tcp, udp, igmp [...] nat, snat [...], connectiontracking
(http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html) and
routes networks.
Not more not less (e.g. smoothwall without any extra-services)!

>From here you will say everything is equal as it looks, but can you pers fw
filter Ethernet-addesses or do traffic-accounting?

The above software is maybe a nice check, but looks like fake - it talks
only about internal security of windows and wants to sell a product
(http://www.pcinternetpatrol.com/downloads/ind.php).
Normally the simple XP personal Firewall (an example of a simple connection
tracking fw) and a virusscanner are enough for single-home-pc-users.
If you have DSL or more than 1 pc you choose a firewall.

If you want to check your firewall use GFI Languard or other
checking-software testing for exploits.

The big plot is, that IE is the biggest hole in security (and strange
"third-party-plugins").
If you allow IE to access internet (without a dll-check) you allow a lot.
Next you can program a software to directly close a popup, after it appears
and always say yes to any question (i think with window-handler).
There are many many more reasons, why a personal firewall will not work that
secure...this is used by such pseudo-testers.

Why is a firewall secure?
Not because of the fact, it blocks ports: Because it is not build inside a
pc (no one except the admin knows what's running on it and how he setup the
box)!

Most people mistake linux-based firewalls with Personalfirewalls on Windows.

Personal Firewalls on Windows are no real security, because they run on the
same box, the OS runs on and have more or less the same security the OS has
or see the small example for IE (above).
It is a nice thing to have a personal firewall, kerio does work nice and has
implemented nice features:

md5 checks for apps,
check which software access internet

and

checks which 3rd party is used to access the internet combined with a simple
web-content-filter.

In larger companies that is not enough - you cannot rely on a firewall, that
is installed on each pc (even if ms makes you believe).

You can get this security features on modern firewalls combined with other
software:

WWW:

- transparent-proxy-filtering:

squid -> dans-guardian -> lan ("good site" access, "bad site" denied)
Webaccess cannot be gained without the filter, because the firewall
redirects www-port.

- webproxy with virus-filter:

squid -> dans-guardian -> AV-Engine -> LAN (filter good and bas sites, scan
virus)

SMTP:

postfix or any other mail-server & av-scanner & spam-filter

Samba (not on firewall or in DMZ):

smb-vscan (av-engine for samba, but experimental)

Services:

A Firewall shall only run the services, it minimal needs (e.g. ssh, squid,
smtp, caching-dns, dhcp).

Security of the firewall:

kernel without lkm, no compiler, no make ... or on a separate storage for
installation/update only (e.g. usb-stick)
chroot services (http://www.ss64.com/bash/chroot.html)
capabilities - kernel access rules denying even for root, if desired (even
available for high costs for windows)
ids - check, if something changes (most times included in persfw)

depending on the level of security:

report critical data via sms - be up2date
switches or connectors with port learning function (hardware-solution)
a firewall before your firewall (double-nat)
[...]

There are several other approaches, e.g. a firewall with an
authentification-system: http://www.nufw.org/
For linux I saw somewhere even an app-based firewall like the personal fw's
(don't know, if this works).

> Ok - this was a clear point. And what about standalone firewalls (i.E.
> SuSE Firewall) ?
> I think, to block such internet access is only possible with an
> client-based firewall, which knows the programs and dlls which are
> allowed to access the net ?

http://www.it-analysis.com/article.php?articleid=8773
http://news.zdnet.co.uk/hardware/emergingtech/0,39020357,2099013,00.htm

The personal firewalls try to do the same thing a secure linux-server does
and make you think it has the same security-level.
No it has not, neither knows windows nothing about any of this features (or
it will be very expensive)!

If you like install it as extra benefit, but don't trust on it 100%.

Simple in-a-box firewalls for dsl have most of this security-benefits build
in, but have to be up-to-date - some have even dans guardian inside.

> > The important point IMHO is to teach users not to download programs
> > from the internet without thorough checking of the intention of the
> > program. And of course not to click on suspicious links or open Email
> > Attachments.

<fun-tag>

Or much more easy in one step, let them sign terms of use for your network.
Make them frightened and tell something of: "In case of damage, caused by a
client the client has to pay." :-)

</fun-tag>

Well that will not work (there are too much tele-tubbies).

> I think the only posibility to avoid such dangers is to prevent users
> from downloading ANY program ;-)
> This little demo program works without installing it :-/

Nothing easier, than this:

Install Dansguardian and block your desired Extensions (e.g.: .exe, .com,
.zip, .pif, .xls, and dot-whatever).

If you want to have less work with your users:

No CD, DVD & Floppy in any PC (don't forget to disable USB and to protect
the bios with pw), use Corporate-AV-Solution and Dansguardian & av-plugin.
I know this is unfair, but the question is, what costs more?

Philippe


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here