Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Enemy Within: Firewalls and Backdoors

Posted by CowboyNeal on from the securing-the-perimeter dept.

hrbrmstr writes "SecurityFocus is running an article on firewalls and backdoors on their InFocus site. They provide info on firewall types, backdoor classifications, some examples of real backdoors and tips on mitigating their use on your network." Some good topics explained for the beginner, and it's a nice refresher for the veteran admin as well.

19 of 225 comments (clear)

  1. Just remembered by ATAMAH · · Score: 1, Insightful

    I loved the "Matrix reloaded" portrayal of a backdoor.

  2. Good info by rekkanoryo · · Score: 4, Insightful
    I had a basic idea of a lot of stuff here an some knowledge of some things, too. This was a nice crash-course.

    Kinda makes me wonder, though, how often articles like this spawn ideas in the minds of the "wrong people," leading to attacks or attempts to attack. Anyone else ever wonder that?

    1. Re:Good info by irc.goatse.cx+troll · · Score: 5, Insightful

      Security through obscurity does work though, so long as its not the only layer.
      An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure:
      A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc.
      B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.

      Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.

      And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.

      --
      Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  3. The rule by Faust7 · · Score: 3, Insightful

    Can your multiple-lines of defense truly protect your network from modern methods of intrusion?

    Only if "modern" meant "known." Everything else is fair game.

    --
    The coolest voice ever.
    1. Re:The rule by realdpk · · Score: 2, Insightful

      I'm going to assume that you allow access to 1433/1434 from at least *some* hosts.

      So, you just have to hack those hosts, and then you're in.

      Fireawlls are not the answer, really.. they mask problems. Firewalls should be the very last step in your security initiative.

      Of course, I'll get replies to this about how this is just how it is done - well, too bad - it's not the best way to go and if you don't know it, you should. :)

  4. Re:layers by rekkanoryo · · Score: 3, Insightful

    You're right. OSI Layer 3 does not deal with port numbers. The Application Layer is the OSI model's Layer 7. Looks like someone forgot his/her coffee when writing the article, like I did reading it.

  5. Re:SecurityFocus says no MacOS EVER exploited once by Feztaa · · Score: 2, Insightful

    Why is is hack proof?

    Right. It's secure because they removed all the things that make a computer worth using. No command shell? How do you do remote administration? Bleh, i could go on, but I don't care.

    its quite amusing that there are over 200 or 300 known vulnerabilities in RedHat over the years

    I think you mean "200 or 300 fixed vulnerabilities". That's just how it goes, I guess. They find a problem, it is disclosed, and fixed. End of story. Unlike other OS's that try to hide all their problems instead of fixing them and being honest about it. Whatever.

    --- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.

    Too stubborn, or too poor? I'd buy a Mac if I could, but I'm not a billionaire. Commodity PC hardware + Linux = cheap access to fun technology.

  6. Re:I like by pair-a-noyd · · Score: 2, Insightful

    Of course the power draw is more.
    But the firewall is MUCH better.

    Besides, you can add one or more DMZ nics in a PC.
    And if you find a serious problem with your firewall, you just fix it. You can even totally change the software out and get very, very precise tunning of your iptables. I think they call it granular control..

    No can do with a $50 bestbuy firewall/router... A $50 router is kind of like a having a Chihuahua guarding your home.

  7. Re:Routers by thynk · · Score: 3, Insightful

    sonally I don't see any use for software firewalls for the majority of home users.

    Kind of funny that this comes up right as I'm thinking that my hardware/router based firewall isnt' enough and that I need to back it up with a linux software firewall.

    IIRC on the home routers, any program requesting a port to talk out of can recieve a request back on it. SO... your WORM opens up port n, sends the info, get's it's commands to try on your system, then sends off the next command it's done/how and waits for it's marching orders.

    --

    Good judgment comes from experience, and a lot of that comes from bad judgment.
  8. Re:Most secure solution isnt simple, but its the b by retto · · Score: 2, Insightful

    Of course, a network's weakest point is often the people who use it. Firewalls and security patches do not mean a lot if a user gives information out to anyone who calls their extension and acts like a manager from another department. Hardware is only part of the solution.

  9. The whole article describes: by Alex+Belits · · Score: 4, Insightful

    1. What firewall software pretends to do (as opposed to what it actually accomplishes).

    2. How to become a perfect target of DoS attack through paranoia (imitation of any intrusion-like activity will make the supposed origin unable to access you).

    3. How to defend yourself when you have already lost, and are for all practical purposes as good as dead.

    --
    Contrary to the popular belief, there indeed is no God.
  10. Re:Routers by raga · · Score: 2, Insightful
    SO... your WORM opens up port n, sends the info, get's it's commands to try on your system, then sends off the next command it's done/how and waits for it's marching orders.


    To do this, the worm would already have to be on your disk. If your system is already infected, then all bets are off....

    If Jane Q Public has a router that requires port-forwarding for external connections, and she takes other reasonable precautions to prevent an initial infection (re. downloads, email attachments etc.), she will be ok from 99.9% of the s'kiddies out there. Good luck with the remaining .1%!

    cheers- raga

  11. Everyone seems to be missing the point by scottme · · Score: 5, Insightful
    I am not enough of a security geek to fault this article on any technical detail, but surely the main message is that no matter what technical measures you take, any dumb user can totally subvert all your efforts by inadvertantly, unwittingly, or even maliciously running code on a personal system inside the secured network that opens a tunnel to the outside. Hence the title of the article.

    The concluding sentences contain the main learning point, as I see it: you need a way to identify all connections down to the source (user).
    And you need to make sure that all those dumb users know you're watching them and that you will hold them accountable for breaches of security that they initiate.

    Or is all that so obvious that no-one has felt the need to point it out?

  12. Re:I like by Spacelord · · Score: 2, Insightful

    One problem: Putty will put keys in the registry

    First of all, I don't see the problem about putting the *public* key of an ssh server in the registry ... it is called a "public" key for a reason.

    Secondly, you can easily clean up everything putty has put in the registry by using the -cleanup switch. (e.g. putty -cleanup)

  13. Re:Stateful Packet Inspection recommended by Hobbex · · Score: 2, Insightful


    This is a ridiculous argument. Any worm worth two cents is just going to communicate out using port 80, and if the author is really clever it will do it by opening http pages using Internet Explorer so the traffic doesn't look different, and not even local application level firewalls or authenticated proxies can stop it.

    Blocking outgoing traffic does nothing for security, and tons to block legitimate applications and the true power of the Internet (as opposed to the Web).

  14. Firewall Systems Considered Harmful by Alioth · · Score: 2, Insightful

    I would write a long rant about firewalls and people thinking, "Oh, it's OK, we have a firewall" and not dealing with internal security, but this article does it adequately:

    Firewall Systems Considered Harmful

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  15. hmm, that's FUD by DrSkwid · · Score: 2, Insightful

    1. how do you know?
    2. your computer != all non windows setups
    3. 10 Months is not a long time
    4. Robert Morris

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  16. Re:Stateful Packet Inspection recommended by MeNeXT · · Score: 4, Insightful
    I have moderator points and I'm about to post go figure...


    This has nothing to do with thechnology but more to do with attitude, policy and productivity.



    You see in most trades/proffessions you need to learn how a tool works before you are eveluated on the tool. After that you need to apply the tool to the trade, which means you need to understand the workings of the trade. This takes years.


    Now, with computers, we have business that are trying to fit the trade to their tools. When that does not work and they encounter problems, they hire someone who knows one tool. They then try to force the tool into the business.


    This will never work! You cannot make a general tool to fit every need and at the same time make this tool easy to use. A good example that I can bring up is for MS Word users. Placing graphics in word does not make word a publishing software. All it has done is waste your time and the other person who is to open the document. Word is made for typing letters when we use it for other things it becomes complex. IT DOES A POOR JOB and it costs you more time and money than buiying the right tool or asking someone who is in the trade.



    Now before buying any software you need to identify what your needs are. Do you need to access files from home? Better yet why are you taking work home? How manyhours do you propose to work? If you wish to spend more time with your familly then mabye you should look at sleeping less because sitting in front of your computer is NOT familly time. In most cases this an ego issue (Look I can PISS farther than you!) an not a technologie issue.


    If Linux can only STOP trying to be Windows then the virus issue will stay with Windows. We have seen on the server side that Linux has not followed in the Windows steps.


    One last question why do you first start talking about the desktop and then give a server example?

    --
    DRM? No thanks, I'll just get it somewhere else...
  17. big deal by DrSkwid · · Score: 2, Insightful

    because if you'd actually learned anything in the same 20 years that I've been working in IT it is that there is no "magic platform" that's invulnerable to sloppy coding be it windows, linux, AIX, plan9, OpenBSD or whatever.

    Go read Security Focus and count the number of "Design Errors"

    Here's one from today's front page :

    Linux Kernel Privileged Process Hijacking Vulnerability **

    > I have 7 PC's here at home, all of them are Linux.

    Your cock waving has no effect I'm afraid.

    > It's not FUD, it's FACT.. I know it from experiance.

    If I can restate your premise :

    -----
    "Every fscking worm/backdoor is allowed to call home"
    Simple. Don't use Windows.. That's a Windows problem.
    -----

    It's not even factual let alone borne of experiance [sic].

    It's about a firewall rule. And it sounds like a simple NAT. It doesn't even have anything to do with Operating Systems

    >I quit using Windows in August of 2002 and have not had a single worm, virus, trojan, backdoor, hack, sneeze, fart, or burp since..

    I've been using Windows since 1987 and have never suffered from any of those things.

    > I didn't just fall off of the turnip truck...

    Nope, sounds like you stayed right on the top of the pile

    ** A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.

    The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.

    This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter