The Enemy Within: Firewalls and Backdoors

hrbrmstr writes "SecurityFocus is running an article on firewalls and backdoors on their InFocus site. They provide info on firewall types, backdoor classifications, some examples of real backdoors and tips on mitigating their use on your network." Some good topics explained for the beginner, and it's a nice refresher for the veteran admin as well.

Good info

[rekkanoryo]

I had a basic idea of a lot of stuff here an some knowledge of some things, too. This was a nice crash-course.

Kinda makes me wonder, though, how often articles like this spawn ideas in the minds of the "wrong people," leading to attacks or attempts to attack. Anyone else ever wonder that?

Re:Good info

[irc.goatse.cx+troll]

Security through obscurity does work though, so long as its not the only layer.
An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure:
A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc.
B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.

Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.

And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.

The rule

[Faust7]

Can your multiple-lines of defense truly protect your network from modern methods of intrusion?

Only if "modern" meant "known." Everything else is fair game.

Re:layers

[rekkanoryo]

You're right. OSI Layer 3 does not deal with port numbers. The Application Layer is the OSI model's Layer 7. Looks like someone forgot his/her coffee when writing the article, like I did reading it.

Re:Routers

[thynk]

sonally I don't see any use for software firewalls for the majority of home users.

Kind of funny that this comes up right as I'm thinking that my hardware/router based firewall isnt' enough and that I need to back it up with a linux software firewall.

IIRC on the home routers, any program requesting a port to talk out of can recieve a request back on it. SO... your WORM opens up port n, sends the info, get's it's commands to try on your system, then sends off the next command it's done/how and waits for it's marching orders.

The whole article describes:

[Alex+Belits]

1. What firewall software pretends to do (as opposed to what it actually accomplishes).

2. How to become a perfect target of DoS attack through paranoia (imitation of any intrusion-like activity will make the supposed origin unable to access you).

3. How to defend yourself when you have already lost, and are for all practical purposes as good as dead.

Everyone seems to be missing the point

[scottme]

I am not enough of a security geek to fault this article on any technical detail, but surely the main message is that no matter what technical measures you take, any dumb user can totally subvert all your efforts by inadvertantly, unwittingly, or even maliciously running code on a personal system inside the secured network that opens a tunnel to the outside. Hence the title of the article.

The concluding sentences contain the main learning point, as I see it: you need a way to identify all connections down to the source (user).
And you need to make sure that all those dumb users know you're watching them and that you will hold them accountable for breaches of security that they initiate.

Or is all that so obvious that no-one has felt the need to point it out?

Re:Stateful Packet Inspection recommended

[MeNeXT]

I have moderator points and I'm about to post go figure...

This has nothing to do with thechnology but more to do with attitude, policy and productivity.

You see in most trades/proffessions you need to learn how a tool works before you are eveluated on the tool. After that you need to apply the tool to the trade, which means you need to understand the workings of the trade. This takes years.

Now, with computers, we have business that are trying to fit the trade to their tools. When that does not work and they encounter problems, they hire someone who knows one tool. They then try to force the tool into the business.

This will never work! You cannot make a general tool to fit every need and at the same time make this tool easy to use. A good example that I can bring up is for MS Word users. Placing graphics in word does not make word a publishing software. All it has done is waste your time and the other person who is to open the document. Word is made for typing letters when we use it for other things it becomes complex. IT DOES A POOR JOB and it costs you more time and money than buiying the right tool or asking someone who is in the trade.

Now before buying any software you need to identify what your needs are. Do you need to access files from home? Better yet why are you taking work home? How manyhours do you propose to work? If you wish to spend more time with your familly then mabye you should look at sleeping less because sitting in front of your computer is NOT familly time. In most cases this an ego issue (Look I can PISS farther than you!) an not a technologie issue.

If Linux can only STOP trying to be Windows then the virus issue will stay with Windows. We have seen on the server side that Linux has not followed in the Windows steps.

One last question why do you first start talking about the desktop and then give a server example?