Slashdot Mirror
The Enemy Within: Firewalls and Backdoors
hrbrmstr writes "SecurityFocus is running an article on firewalls and backdoors on their InFocus site. They provide info on firewall types, backdoor classifications, some examples of real backdoors and tips on mitigating their use on your network." Some good topics explained for the beginner, and it's a nice refresher for the veteran admin as well.
Pretty much all of Netgear's home routers have stateful packet inspection features. Some of them are quite inexpensive (how about US$80 for a model that even includes a print server!).
The great thing about stateful packet inspection is that you don't have to configure it. If you want to play some new game that does multiplayer play on the Internet through some wacky port, it will just work, and meanwhile if some random guy blasts packets at that port or any other they will bounce off. If you didn't ask for a packet, it gets turned away.
(If you ever serve as tech support for a friend or family member, be sure they buy a firewall/router with stateful packet inspection!)
Of course, that cuts both ways: any back-doors in your network will just work, also. Don't figure that just having a cool firewall/router with stateful packet inspection is a guarantee that you are secure. But it's a nice start, and it's what I recommend to anyone who has an always-on Internet connection.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
I remember the time when we found out that the 3Com switch / router / whatever (i can't remember so clearly now, it's been such a traumatic shock that i am still trying to forget and having mild success), and we were basically like "WHAT?!?!" and then all passed out.
I remember this time I was all drunk and busy trolling slashdot and I got to this article that was related to what I do for a living, only it was related in the most remedial of fashions and I was like "right on, I can troll this motherfucker like it ain't nobody's business, fo shizzle mah nizzle, and I may even get mod points cuz of the bullshit I'm about to spew."
Anyway, I was reading this mofo and I came across some whack job herion addict post that said some stupid shit and I read it and reread it and reread it, and was like "well, I'd troll this sumbith, but the wanker can't even write coherently". So I read it again and was basically like "WHAT?!?!" and then I was all passed out.
You know you're on slashdot when sex position posts get modded Informative.
Smoothwall GPL 2.0 Beta 4 (mallard)
http://smoothwall.org/beta/
I put three nics in a Pentium 90 that I found on a trash heap. One nic goes to my RR cable modem, one nic goes to my switch and one nic is for my son's Playstation 2.
I can control every aspect of the firewall from any pc on the green nic. The firewall pc doesn't even have a keyboard or monitor.
I can VPN through it with ease and I have port forwarding from an oddball port number to port 21 for a private FTP so that RR won't find it.
It's really easy to use and so far I've had no problems.
Of course ALL the machine inside of it are Linux boxes and all of them are using iptables (w/shorewall) so everything is really secure..
For a super easy, very cheap and very fast firewall try floppyfirewall at http://zelow.no/floppyfw
No worries here...
Personally I don't see any use for software firewalls for the majority of home users. I have a Linksys router and it completely shields both of my computers from outside access unless I use port forwarding. This is much easier to configure and use than a software firewall, and if there is ever a port you need to open for whatever reason, just use port forwarding and it's done in 30 seconds.
Security through obscurity does work though, so long as its not the only layer.
An example would be lets say you're making your own home made cluster remote administrative tool for admining all of your servers from one console. What would be more secure:
A: Greeting the user upon connection with a description of the service, full protocol docs, source code, etc.
B: Sitting, waiting 5 seconds for the first command before dropping the connection. If client sends one wrong byte, instantly drop the connection and firewall their ip so that they cant get a single packet through.
Obscurity isnt security in itself, however it does make a nice addition to an already secure setup.
And if you think full disclosure means instant security, take a look at that opensource database thats had a serious bug in it for 8 years that was only found recently. I can't think of the name off hand, I believe it started with 'Inno'. Even though "thousands of eyes scoured the source code" it still didnt get noticed for eight years-- that is, noticed by anyone that went public with it.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
The concluding sentences contain the main learning point, as I see it: you need a way to identify all connections down to the source (user).
And you need to make sure that all those dumb users know you're watching them and that you will hold them accountable for breaches of security that they initiate.
Or is all that so obvious that no-one has felt the need to point it out?