Slashdot Mirror
Should You Fire Your Firewall?
Gsurface writes "A lengthy article over at Flexbeta.net focuses on firewall applications and how well they perform as far as securing your system. Four typical firewall applications were tested including two routers, one being the Cisco 831 SOHO, which performed rather well. In total, nine security test were conducted to measure how well each firewall performed."
Actually most home cable/DSL routers run a small embedded Linux distro, though I've found most are less robust than my old Pentium. My friend has to restart his Linksys almost daily, while my machine (Red Hat 8.0 minimal install) has 200+ days uptime. I've never tested the Linksys, but my setup gets a thumbs up from Shields Up.
Yeah, their comments about the D-Link and port 113 illustrate the basic nature of the review. It's very easy to configure the D-Link routers to stealth 113 if you really want to. Just use the advanced tab in the setup to create a virtual-server at an unassigned IP address in the router's 192.168.0.* range and shunt the port 113 traffic there.
Re:The Shields Up! Test Re:The Shields Up! Test (Score:1) by Micro$will (592938) on Wednesday March 10, @08:54PM (#8529083) (http://www.vixenny.com/) I'm not sure about the DI-604, but I had an old DI-704 that would stealth 113 given the proper tweaks. I'm also surprised the 604 didn't show up to ICMP scans since I had to manually set mine to not reply. The Zone Alarm results are confusing too. I just installed the free version on a friends machine, but had to disable it temporarily because it blocked the outbound request to access my file server. I assume there are many options you can configure to secure any hardware or software firewall, but you need to have the knowledge and patience to sit down for a day, preferably within a protected network, set them up and hammer on them with nmap.
I have zone alarm running on my wifes windoze box (only one in my house) and I set the preferences to prompt whenever something new requests a connection to the internet. Then when something hasn't been used before you get a popup asking for permission. I've caught spyware this way and simply denied it access and the pop-ups went away. I don't think it's a substitute for gateway firewalls, but they are very useful for situations like this.
/* oops I accidentally made a comment, sorry */
Leak:
1) Hardware firewalls _rarely_ block outbound traffic, so they implictly allow out (since they can't predict what you'll need).
2) Internal software firewalls work by intercepting a request to send a packet if it matches a rule. If the rogue software actively looks for a way to bypass the filter (by talking directly to the network card itself and bypassing the operating system), then there is nothing that can stop it.
Hence the all fail the leak test. That's to be expected. In general you cannot expect to be connected to the internet at all and NOT be _somewhat_ vulnerable about information being transmitted without your knowledge.
Browser test:
You're right. Firewalls shouldn't double as a content/URL filter. That's the job of an "application proxy". Many firewall vendors are functioning as both... which is fine for a consumer who doesn't know the difference.
However, this is partially due to the fact that windows has this API called "NDIS".
Firewalls are implemented by placing filters in the NDIS chain that check for incoming/outgoing IP addresses and stuff, and can process them. But the NDIS chain also allows you to intercept URLs and how they are parsed, control DNS lookup, and more. (This is a Windows-specific feature). So most firewall developers naturally decided to add URL/content filtering because it was an easy step from IP filtering, since they were using the same programming interfaces.
It wasn't rocket science... it was right there in the programming manuals next to the other stuff.
Port scan:
By default, ZoneAlarm is configured to allow ports 135-139 in (but ONLY for the "Local Zone", if they bothered to check) so you can use Windows File Sharing between computers. It's easily turned off making the computer invisible to everyone just like the rest of them.
ZoneAlarm wanted to be friendlier to people who wanted to share files or printers inside their house.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The ident request is being sent back to you by the UPSTREAM sendmail, and has nothing to do with what MTA you're using. Plus AFAIK sendmail isn't the only MTA that sends back an ident request, though I can't identify any others. I'm under the impression that some ftp servers send back ident requests, and that most IRC does, too.
The living have better things to do than to continue hating the dead.
In general, you should always use a dedicated device to filter incoming packets. Consider it 'first line' defense.
Where things like ZoneAlarm and Kerio make a difference is that they filter outbound connections. Of particular note is that, if the user pays attention and doesn't randomly approve everything the software shows them, then a firewall application can not only block specific outbound ports, but it can maintain specific application+port rules. That way, rogue malware can't hijack commonly used ports, such as port 80. It also would prevent worms/viruses that use their own SMTP engine.
Data security should always be a layered approach. Take care of different threats with different (appropriate) defenses.