Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Enemy Within: Firewalls and Backdoors

Posted by CowboyNeal on from the securing-the-perimeter dept.

hrbrmstr writes "SecurityFocus is running an article on firewalls and backdoors on their InFocus site. They provide info on firewall types, backdoor classifications, some examples of real backdoors and tips on mitigating their use on your network." Some good topics explained for the beginner, and it's a nice refresher for the veteran admin as well.

18 of 225 comments (clear)

  1. Good info by rekkanoryo · · Score: 4, Insightful
    I had a basic idea of a lot of stuff here an some knowledge of some things, too. This was a nice crash-course.

    Kinda makes me wonder, though, how often articles like this spawn ideas in the minds of the "wrong people," leading to attacks or attempts to attack. Anyone else ever wonder that?

    1. Re:Good info by irc.goatse.cx+troll · · Score: 5, Insightful

      Security through obscurity does work though, so long as its not the only layer.
      An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure:
      A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc.
      B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.

      Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.

      And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.

      --
      Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
  2. layers by smettler · · Score: 4, Informative

    I wonder which layer model (iso, dod, other?) they took. Looks like iso/osi to me and if that's the case

    >Packet filters [1]
    > * Operates at Layer 3
    > * Also known as Port-based firewalls
    > * Each packet is compared to against a list of rules (source/destination address, source/destination port, protocol)

    based on tcp/udp port numbers? that would be layer 4, right? Imho Layer 3 applies to ip-address only.

    >Application-level gateways [2]
    >
    > * Operates at Layer 5
    > * Application-specific
    > * Example: Web (http) proxy

    I thought the application layer is layer 7?

    someone?

    cheers
    Sascha

  3. Stateful Packet Inspection recommended by steveha · · Score: 5, Interesting
    The article is worth reading, but there was one comment that made me go "Huh?!?"

    Stateful, multi-layer inspection firewalls
    [...]
     High level of cost, security and complexity

    Pretty much all of Netgear's home routers have stateful packet inspection features. Some of them are quite inexpensive (how about US$80 for a model that even includes a print server!).

    The great thing about stateful packet inspection is that you don't have to configure it. If you want to play some new game that does multiplayer play on the Internet through some wacky port, it will just work, and meanwhile if some random guy blasts packets at that port or any other they will bounce off. If you didn't ask for a packet, it gets turned away.

    (If you ever serve as tech support for a friend or family member, be sure they buy a firewall/router with stateful packet inspection!)

    Of course, that cuts both ways: any back-doors in your network will just work, also. Don't figure that just having a cool firewall/router with stateful packet inspection is a guarantee that you are secure. But it's a nice start, and it's what I recommend to anyone who has an always-on Internet connection.

    steveha
    --
    lf(1): it's like ls(1) but sorts filenames by extension, tersely
    1. Re:Stateful Packet Inspection recommended by AlCoHoLiC · · Score: 5, Informative

      Allowing ALL ougoing and RELATED incoming traffic is hardly secure setup. Every fscking worm/backdoor is allowed to call home, replicate itself or even participate in DDOS network. I also doubt that netgear cares about actual packet payload (layers 4-7). I guess that they're using dynamic packet filter.

    2. Re:Stateful Packet Inspection recommended by MeNeXT · · Score: 4, Insightful
      I have moderator points and I'm about to post go figure...


      This has nothing to do with thechnology but more to do with attitude, policy and productivity.



      You see in most trades/proffessions you need to learn how a tool works before you are eveluated on the tool. After that you need to apply the tool to the trade, which means you need to understand the workings of the trade. This takes years.


      Now, with computers, we have business that are trying to fit the trade to their tools. When that does not work and they encounter problems, they hire someone who knows one tool. They then try to force the tool into the business.


      This will never work! You cannot make a general tool to fit every need and at the same time make this tool easy to use. A good example that I can bring up is for MS Word users. Placing graphics in word does not make word a publishing software. All it has done is waste your time and the other person who is to open the document. Word is made for typing letters when we use it for other things it becomes complex. IT DOES A POOR JOB and it costs you more time and money than buiying the right tool or asking someone who is in the trade.



      Now before buying any software you need to identify what your needs are. Do you need to access files from home? Better yet why are you taking work home? How manyhours do you propose to work? If you wish to spend more time with your familly then mabye you should look at sleeping less because sitting in front of your computer is NOT familly time. In most cases this an ego issue (Look I can PISS farther than you!) an not a technologie issue.


      If Linux can only STOP trying to be Windows then the virus issue will stay with Windows. We have seen on the server side that Linux has not followed in the Windows steps.


      One last question why do you first start talking about the desktop and then give a server example?

      --
      DRM? No thanks, I'll just get it somewhere else...
  4. Re:heh, 3Com by Anonymous Coward · · Score: 5, Funny

    I remember the time when we found out that the 3Com switch / router / whatever (i can't remember so clearly now, it's been such a traumatic shock that i am still trying to forget and having mild success), and we were basically like "WHAT?!?!" and then all passed out.

    I remember this time I was all drunk and busy trolling slashdot and I got to this article that was related to what I do for a living, only it was related in the most remedial of fashions and I was like "right on, I can troll this motherfucker like it ain't nobody's business, fo shizzle mah nizzle, and I may even get mod points cuz of the bullshit I'm about to spew."

    Anyway, I was reading this mofo and I came across some whack job herion addict post that said some stupid shit and I read it and reread it and reread it, and was like "well, I'd troll this sumbith, but the wanker can't even write coherently". So I read it again and was basically like "WHAT?!?!" and then I was all passed out.

  5. Re:Just remembered by Anonymous Coward · · Score: 5, Funny

    You know you're on slashdot when sex position posts get modded Informative.

  6. I like by pair-a-noyd · · Score: 5, Interesting

    Smoothwall GPL 2.0 Beta 4 (mallard)
    http://smoothwall.org/beta/

    I put three nics in a Pentium 90 that I found on a trash heap. One nic goes to my RR cable modem, one nic goes to my switch and one nic is for my son's Playstation 2.
    I can control every aspect of the firewall from any pc on the green nic. The firewall pc doesn't even have a keyboard or monitor.

    I can VPN through it with ease and I have port forwarding from an oddball port number to port 21 for a private FTP so that RR won't find it.

    It's really easy to use and so far I've had no problems.
    Of course ALL the machine inside of it are Linux boxes and all of them are using iptables (w/shorewall) so everything is really secure..

    For a super easy, very cheap and very fast firewall try floppyfirewall at http://zelow.no/floppyfw

    No worries here...

    1. Re:I like by pair-a-noyd · · Score: 4, Informative

      Several of the games did not like the firewall. There was *some* connectivity but not total cooperation between the PS2 and the firewall.

      Several of the games want huge chunks of ports opened up. Uh uh. Not gonna do that. So I added the third nic as a DMZ (smoothwall calls it "Orange Zone") so that the PS2 has unhindered access to the web.

      There are three nics,
      red=nic to modem (dhcp)
      orange= nic to PS2 - 192.168.2.1
      green=nic to my lan - 192.168.1.1

      The red zone is the nic that goes to the cable modem, it gets it's IP from RR's DHCP.

      The orange zone nic is hard coded to 192.168.2.1 (by me) and the PS2 is 192.168.2.2 There are no port restrictions on it, it's raw and naked on the net, as it wants to be..
      Since it's a PS2 it doesn't matter.

      Smoothwall provides DHCP for the green zone so whatever I plug in to it works. Nice. People bring me PC's all the time to work on.

      Another nice thing smoothwall does is take care of dynamic DNS for me, I have a freebee domain from dyndns.org so I can FTP to a private box on my lan from remote sites (while working) and I have accounts setup for my friends so they can ftp in too.

      I hard coded one of my boxes to a specific IP then port forward from port XXXX to port 21 at my internal IP of 192.168.1.205. Only my friends and I know it's there and can access it. Very handy.

      Veyr often I get somewhere and remember that I forgot something important! Bada bing! I can connect up to the house and get it... Smoothwall is VERY handy for my needs. I have no complaints about it...

  7. Re:Eep! by deadsaijinx* · · Score: 4, Funny

    no, it's at 127.0.0.1 ... it's super easy to break in, I've done it before, and the poor sap didn't even realize it. muhahahaha, i am such a l33t h4x0r

    --
    YOU SUCK BALLS!
  8. Routers by Zarxos · · Score: 5, Interesting

    Personally I don't see any use for software firewalls for the majority of home users. I have a Linksys router and it completely shields both of my computers from outside access unless I use port forwarding. This is much easier to configure and use than a software firewall, and if there is ever a port you need to open for whatever reason, just use port forwarding and it's done in 30 seconds.

  9. SSH Tunnels by rf0 · · Score: 4, Informative

    One thing which is handy for backdoor is SSH tunneling. A nice exaple can be found here Just replace port 110 with anything else and off you go

    Rus

    --
    Cheap UK and US VPS
  10. Re:The rule by Artifex · · Score: 4, Interesting
    Fireawlls are not the answer, really.. they mask problems. Firewalls should be the very last step in your security initiative.


    Yes and no. If you rely solely on firewalls, yes, because firewalls just contain damage and prevent it spreading. You definitely still have to take care of the weak security on the affected machine(s). However, if you think of security as an ongoing effort (i.e. no "last step"), you'll see that monitoring your firewall may give you much quicker notification of abnormal activity.

    Personally, I much prefer to be warned by port scans, etc., than to rely solely on hardening for protection from attacks. It's like having a fence around your house, with a gate in front, and having a burglar standing outside, rattling the front gate, yelling "hey, I'm about to try to break into your house!" He might get over the fence or through the gate, but you'd be awfully stupid, if you knew some burglers did that, not to at least have the wall and the gate.

    Carrying the metaphor a little too far, of course, it's a heck of a lot easier to track the guy down and "remove the threat," if you know he's going to try something, and where he is, before he does tries it.
    --
    Get off my launchpad!
  11. Most secure solution isnt simple, but its the best by Zeddicus_Z · · Score: 4, Informative

    1) Use both inbound and OUTBOUND ACL lists on routers, firewalls and other access control devices. Go with the highest level of restriction you can get away with, and log everyhing to a central point.

    2) For services you must offer to internal users (www access etc), use good proxies and authenticate every connection.

    3) Ensure all services/software products are up to date with security patches. This INCLUDES user workstations.

    4) Keep track of security-related sites and lists, such as bugtraq, packetstorm etc.

    5) IDS' inside your perimeter to detect anything you're missing. After all, no-one (and by extention, no-one's ACLs) is perfect.

    6) Ensure you pay close attention to any remote-access you offer. Modem banks, VPN endpoints etc. Preferably these should also be access-controlled via ACL's of some sort.

    7) Ensure you configure your software properly. Seems stupid, I know. But a perfectly secure (from a bugs point of view) mail server is suddenly a problem if you've forgotten to disable mail relay.

    8) Ensure you have the right topology. There's no point in spending hundreds of man hours securing services, auditing router ACLs etc etc if theres fifteen different ingress/egress points to your network. The less, err, gresses you have, the more you can concentrate your efforts and thus use your time effectively.

    Caveats: I may have missed one or two points in the above summary of practice, but hey - it's a friday arvo and I want to get my work finished so im not here late.

    Also note that while the above list sounds relatively easy to implement, IT ISN'T. Be prepared for a lot of work if you want to do it right.

    --
    Janie took my gun...
  12. The whole article describes: by Alex+Belits · · Score: 4, Insightful

    1. What firewall software pretends to do (as opposed to what it actually accomplishes).

    2. How to become a perfect target of DoS attack through paranoia (imitation of any intrusion-like activity will make the supposed origin unable to access you).

    3. How to defend yourself when you have already lost, and are for all practical purposes as good as dead.

    --
    Contrary to the popular belief, there indeed is no God.
  13. Everyone seems to be missing the point by scottme · · Score: 5, Insightful
    I am not enough of a security geek to fault this article on any technical detail, but surely the main message is that no matter what technical measures you take, any dumb user can totally subvert all your efforts by inadvertantly, unwittingly, or even maliciously running code on a personal system inside the secured network that opens a tunnel to the outside. Hence the title of the article.

    The concluding sentences contain the main learning point, as I see it: you need a way to identify all connections down to the source (user).
    And you need to make sure that all those dumb users know you're watching them and that you will hold them accountable for breaches of security that they initiate.

    Or is all that so obvious that no-one has felt the need to point it out?

  14. Re:Transparent firewalls by Zeddicus_Z · · Score: 4, Informative

    I suspect you haven't actually tried to implement a PIX yet. The Cisco PIX (at least, the low-end 506 we have) *does* support what you're talking about - although what you're talking about isn't really a transparent (also known as *bridged*) firewall.

    Setup the PIX. Use static maps for the IP addresses, so your webservers etc are behind the pix but using the public IP's. When an internal machine tries to connect to the IP address of your website (say 210.20.38.129), the request is forwarded to your default router (border router usually, unless you're on a larger network). The router gets the request, goes "hey, im responsible for that IP. It should go *HERE*" and fowards it back to the webserver *through* the PIX. At no point does the PIX attempt to map the IP address of 210.20.38.129 to the MAC addy of your webserver for the internal connection. Only after the connection has bounced off the border router does the PIX go "hey, incoming *external* request for 210.20.28.129. I've got a static route for that. I'll send it to $webserver". And your connection works.

    Now, if you use a domain name for the request (as most people do when using a web browser), your internal requests will first bounce off your internal DNS. And that's where the problem is. Your internal DNS is configured to point www.myinternalwebserver.com to 192.168.0.129 (or whatever the machine's internal interface is) instead of the public IP address. If it was pointed at the public address, your machine would get said address returned to it after doing the DNS lookup and follow the steps in the paragraph above. Namely, the req bounces off the border router.

    As a side note, transparent firewalls are synonyms for bridged firewalls. I.e. it's impossible to actually gain network connectivity to the firewall because for all intents and purposes, it's setup to act as an intercept on a peice of cat5, not as two interfaces seperating two network segments. Think of it as tapping a Cat5 cable and trying to ping the tap itself. Not going to happen, as neither the bridged firewall system (or the tap, per example) have interfaces with an IP address.

    There's a guide floating around the net on how to implement bridged/transparent firewalls using OpenBSD if you're interested. It can be found at http://ezine.daemonnews.org/200207/transpfobsd.htm l

    --
    Janie took my gun...