Slashdot Mirror
The Enemy Within: Firewalls and Backdoors
hrbrmstr writes "SecurityFocus is running an article on firewalls and backdoors on their InFocus site. They provide info on firewall types, backdoor classifications, some examples of real backdoors and tips on mitigating their use on your network." Some good topics explained for the beginner, and it's a nice refresher for the veteran admin as well.
Kinda makes me wonder, though, how often articles like this spawn ideas in the minds of the "wrong people," leading to attacks or attempts to attack. Anyone else ever wonder that?
Can your multiple-lines of defense truly protect your network from modern methods of intrusion?
Only if "modern" meant "known." Everything else is fair game.
The coolest voice ever.
I wonder which layer model (iso, dod, other?) they took. Looks like iso/osi to me and if that's the case
>Packet filters [1]
> * Operates at Layer 3
> * Also known as Port-based firewalls
> * Each packet is compared to against a list of rules (source/destination address, source/destination port, protocol)
based on tcp/udp port numbers? that would be layer 4, right? Imho Layer 3 applies to ip-address only.
>Application-level gateways [2]
>
> * Operates at Layer 5
> * Application-specific
> * Example: Web (http) proxy
I thought the application layer is layer 7?
someone?
cheers
Sascha
telnet some.insecure.host.org 1234
Crap, how'd they find m--I mean, that poor sucker.
The coolest voice ever.
Pretty much all of Netgear's home routers have stateful packet inspection features. Some of them are quite inexpensive (how about US$80 for a model that even includes a print server!).
The great thing about stateful packet inspection is that you don't have to configure it. If you want to play some new game that does multiplayer play on the Internet through some wacky port, it will just work, and meanwhile if some random guy blasts packets at that port or any other they will bounce off. If you didn't ask for a packet, it gets turned away.
(If you ever serve as tech support for a friend or family member, be sure they buy a firewall/router with stateful packet inspection!)
Of course, that cuts both ways: any back-doors in your network will just work, also. Don't figure that just having a cool firewall/router with stateful packet inspection is a guarantee that you are secure. But it's a nice start, and it's what I recommend to anyone who has an always-on Internet connection.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
I remember the time when we found out that the 3Com switch / router / whatever (i can't remember so clearly now, it's been such a traumatic shock that i am still trying to forget and having mild success), and we were basically like "WHAT?!?!" and then all passed out.
I remember this time I was all drunk and busy trolling slashdot and I got to this article that was related to what I do for a living, only it was related in the most remedial of fashions and I was like "right on, I can troll this motherfucker like it ain't nobody's business, fo shizzle mah nizzle, and I may even get mod points cuz of the bullshit I'm about to spew."
Anyway, I was reading this mofo and I came across some whack job herion addict post that said some stupid shit and I read it and reread it and reread it, and was like "well, I'd troll this sumbith, but the wanker can't even write coherently". So I read it again and was basically like "WHAT?!?!" and then I was all passed out.
You know you're on slashdot when sex position posts get modded Informative.
Smoothwall GPL 2.0 Beta 4 (mallard)
http://smoothwall.org/beta/
I put three nics in a Pentium 90 that I found on a trash heap. One nic goes to my RR cable modem, one nic goes to my switch and one nic is for my son's Playstation 2.
I can control every aspect of the firewall from any pc on the green nic. The firewall pc doesn't even have a keyboard or monitor.
I can VPN through it with ease and I have port forwarding from an oddball port number to port 21 for a private FTP so that RR won't find it.
It's really easy to use and so far I've had no problems.
Of course ALL the machine inside of it are Linux boxes and all of them are using iptables (w/shorewall) so everything is really secure..
For a super easy, very cheap and very fast firewall try floppyfirewall at http://zelow.no/floppyfw
No worries here...
look what certain backdoors can do to you.
My life in the land of the rising sun.
articles about network security always remind me of a poorly written tech based porno?
YOU SUCK BALLS!
Firewalls have NEVER been required to prevent remote exploitation on a Mac.
:
I find it both sad and amusing that people try to publish studies about this topic without first addressing the fact that there are more secure platforms for webserving.
It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on ample historical evidence.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.
For years, except, for the last week, the army has always used MacOS and has never had a breakin on a Mac. Unlike their other MS defacements.
http://uptime.netcraft.com/up/graph?site=www.arm y. mil
That is why the US Army gave up on MS IIS and got a Mac for a web server.
I am not talking about FreeBSD derived MacOS X (which already had a more than a 30 explo its and potential exploits in BugTraq) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.
Why is is hack proof? These reasons
1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"
2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.
3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.
4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.
5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
4> Stack return address positioned in s afer location than some intel OSes. Buffer exploits take advantage of loser programmers lack of string leng
"It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet."
That's because there is a grand total of 1 (ONE) MacOS based webserver(s) on the internet.
Actually, the most common sexual style is ::drumroll:: doggie style.
That's where the man sits up and begs and the woman rolls over and goes to sleep.
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
there really should be a special mod category for trolls that are worth reading.
Personally I don't see any use for software firewalls for the majority of home users. I have a Linksys router and it completely shields both of my computers from outside access unless I use port forwarding. This is much easier to configure and use than a software firewall, and if there is ever a port you need to open for whatever reason, just use port forwarding and it's done in 30 seconds.
If only I could do that self-licking thing, like they do afterwards. Why do they even bother with the middle?
Get off my launchpad!
One thing which is handy for backdoor is SSH tunneling. A nice exaple can be found here Just replace port 110 with anything else and off you go
Rus
Cheap UK and US VPS
Why is is hack proof?
Right. It's secure because they removed all the things that make a computer worth using. No command shell? How do you do remote administration? Bleh, i could go on, but I don't care.
its quite amusing that there are over 200 or 300 known vulnerabilities in RedHat over the years
I think you mean "200 or 300 fixed vulnerabilities". That's just how it goes, I guess. They find a problem, it is disclosed, and fixed. End of story. Unlike other OS's that try to hide all their problems instead of fixing them and being honest about it. Whatever.
--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.
Too stubborn, or too poor? I'd buy a Mac if I could, but I'm not a billionaire. Commodity PC hardware + Linux = cheap access to fun technology.
1) Use both inbound and OUTBOUND ACL lists on routers, firewalls and other access control devices. Go with the highest level of restriction you can get away with, and log everyhing to a central point.
2) For services you must offer to internal users (www access etc), use good proxies and authenticate every connection.
3) Ensure all services/software products are up to date with security patches. This INCLUDES user workstations.
4) Keep track of security-related sites and lists, such as bugtraq, packetstorm etc.
5) IDS' inside your perimeter to detect anything you're missing. After all, no-one (and by extention, no-one's ACLs) is perfect.
6) Ensure you pay close attention to any remote-access you offer. Modem banks, VPN endpoints etc. Preferably these should also be access-controlled via ACL's of some sort.
7) Ensure you configure your software properly. Seems stupid, I know. But a perfectly secure (from a bugs point of view) mail server is suddenly a problem if you've forgotten to disable mail relay.
8) Ensure you have the right topology. There's no point in spending hundreds of man hours securing services, auditing router ACLs etc etc if theres fifteen different ingress/egress points to your network. The less, err, gresses you have, the more you can concentrate your efforts and thus use your time effectively.
Caveats: I may have missed one or two points in the above summary of practice, but hey - it's a friday arvo and I want to get my work finished so im not here late.
Also note that while the above list sounds relatively easy to implement, IT ISN'T. Be prepared for a lot of work if you want to do it right.
Janie took my gun...
Of course, a network's weakest point is often the people who use it. Firewalls and security patches do not mean a lot if a user gives information out to anyone who calls their extension and acts like a manager from another department. Hardware is only part of the solution.
...and based on what you've written, I'm willing to bet you've never run a network larger than the one in your home.
Well, I'm not "the linux community", but I'd like to see your MacOS 9 box serve up files for twenty thousand students and staff with decent performance and mantain an uptime greater than single digits.
They avoid immediate detection by well-configured firewalls, network & host IDS.
Hmm, well, not necessarily. I am thinking this is why there is such a thing as a default-deny firewall ruleset policy.
For example, you have a dns server and http server up and running on the standard ports, and anything else gets binned.
I'd say that's a fine example of 20-year-old technology (firewalls) catching a backdoor.
Blearf. Blearf, I say.
I wonder if there is some simple software for linux that alerts me every time a program tries to connect to the internet (outbound) and that allows me to allow or deny those connections. It should also detect new versions of the program using MD5 key or similar. Does such a program exist?
1. What firewall software pretends to do (as opposed to what it actually accomplishes).
2. How to become a perfect target of DoS attack through paranoia (imitation of any intrusion-like activity will make the supposed origin unable to access you).
3. How to defend yourself when you have already lost, and are for all practical purposes as good as dead.
Contrary to the popular belief, there indeed is no God.
The concluding sentences contain the main learning point, as I see it: you need a way to identify all connections down to the source (user).
And you need to make sure that all those dumb users know you're watching them and that you will hold them accountable for breaches of security that they initiate.
Or is all that so obvious that no-one has felt the need to point it out?
I would write a long rant about firewalls and people thinking, "Oh, it's OK, we have a firewall" and not dealing with internal security, but this article does it adequately:
Firewall Systems Considered Harmful
Oolite: Elite-like game. For Mac, Linux and Windows
While it's on topic, I've always wondered how many people use transparent firewalls. I work for a small web development company in the UK and as such we have about 30 IP which host a few public facing webservers as well as our mail and stuff. We decided to use a transparent firewall (ie, one that lets us keep our 30 real IP addresses on the machines which are public facing - rather than 192.x or 10.x addresses) so that if there were any problems with it, we could just remove it (physically) and everything would still work. No network reconfiguration required.
But it seems that it's quite uncommon for firewalls to even support this feature and even less common for people to actually use it in this mode. Is there a reason that more firewalls don't support this functionality, or are there good reasons not to configure your network like this?
A major problem we would have if we used something like a Cisco PIX is that we wouldn't be able to see the websites we are hosting. The domain would map to a normal internet facing address, yet we can't see those addresses from the LAN (they don't seem to apply the port mapping to connections that have come from the LAN - so we'd need to look at them on their internal IP or something).
How many people actually use transparent firewalls? Or how do you get round the problems above if you're a web hosting company and you don't have a transparent firewall? Do any decent firewalls (apart from Sonicwalls) actually support this?
Nick...
1. how do you know?
2. your computer != all non windows setups
3. 10 Months is not a long time
4. Robert Morris
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The real problem here is that these Security Focus people are still trying to design a harder eggshell. Any "barrier" must allow some traffic through, or it will break the network. You cannot install a barrier that understands how to distinguish between good and bad traffic. It is not a closed problem. It is an open-ended problem. It isn't about computers or technology. Its about people and subversion. The answer is too difficult for most people: trust is arbitrary and inherenly flawed, but it is absolutely necessary for human interaction. The technology just fools us into thinking we can control things like a vending machine. The problem seems to be transparent because we can see lots of stuff on the inside of technological subversion, but at the bottom is void: trust is arbitrary and error prone.
The real answer is that we must do what we are already doing, willingly, instead of reluctantly as we do now: accept subversion as a part of the system. We must understand that we created the space-time in which the subversion is manifest. It must be percieved as the limits of our power. Once that is understood, it is also understood how to coexist with limited power. This is the fundamental social problem: being with others. Consider that the subverion is another feeling person expressing their limited power outside the scope of our limited power. Take compassion on that person if they do not know the suffering they cause will come back to them. Do what you can, each as individuals, to absorb the effects of those bad effects so that they do not become causes of other bad effects.
Recurse your awareness; avoid recursing your (or others') mistakes. Security does not exist. Only fools really believe in it.
--- Nothing clever here: move along now...
because if you'd actually learned anything in the same 20 years that I've been working in IT it is that there is no "magic platform" that's invulnerable to sloppy coding be it windows, linux, AIX, plan9, OpenBSD or whatever.
:
:
Go read Security Focus and count the number of "Design Errors"
Here's one from today's front page
Linux Kernel Privileged Process Hijacking Vulnerability **
> I have 7 PC's here at home, all of them are Linux.
Your cock waving has no effect I'm afraid.
> It's not FUD, it's FACT.. I know it from experiance.
If I can restate your premise
-----
"Every fscking worm/backdoor is allowed to call home"
Simple. Don't use Windows.. That's a Windows problem.
-----
It's not even factual let alone borne of experiance [sic].
It's about a firewall rule. And it sounds like a simple NAT. It doesn't even have anything to do with Operating Systems
>I quit using Windows in August of 2002 and have not had a single worm, virus, trojan, backdoor, hack, sneeze, fart, or burp since..
I've been using Windows since 1987 and have never suffered from any of those things.
> I didn't just fall off of the turnip truck...
Nope, sounds like you stayed right on the top of the pile
** A vulnerability has been discovered in the Linux kernel which can be exploited using the ptrace() system call. By attaching to an incorrectly configured root process, during a specific time window, it may be possible for an attacker to gain superuser privileges.
The problem occurs due to the kernel failing to restrict trace permissions on specific root spawned processes.
This vulnerability affects both the 2.2 and 2.4 Linux kernel trees.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter