Wednesday, November 28, 2007

firewall-wizards Digest, Vol 19, Issue 33

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewalls that generate new packets.. (Timothy Shea)
2. Firewall Administration Survey (Mike Chapple)
3. Re: Firewalls that generate new packets.. (Paul Melson)
4. Re: Firewalls that generate new packets.. (Paul D. Robertson)
5. Re: Firewalls that generate new packets.. (J. Oquendo)
6. Re: Firewalls that generate new packets.. (Darren Reed)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Nov 2007 15:37:44 -0600
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <77007036-F9DD-457D-B3E2-0466BDC10653@tshea.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

I ran into a situation at a client a year ago in which a bots weren't
infecting a client workstation - they were infecting a piece of
manufacturing equipment making "Really Important and Delicate Stuff"
that was installed by a vendor. The interface was built on top of
Windows 2000. This machine managed to infect a nearby oscilloscope
who's OS also happened to be Windows 2000. Combine that with their
"default outbound policy", the company was DDoSing itself and whoever
the intended target was for that day. These two machines out of the
tens of thousands connected to this network network would effectively
take out the primary and the backup firewalls at random times during
the day. The mitigation had nothing to do with firewalls but involved
changes in network architecture, increased monitoring, changes in
process and bitch slapping a few people. I would of found the whole
situation amusing if I wasn't crying.


On Nov 27, 2007, at 11:07 PM, Darren Reed wrote:

> Paul D. Robertson wrote:
>
>> On Tue, 27 Nov 2007, Paul Melson wrote:
>>
>>
>>
>>> in both directions. State tables allow your firewall to have a
>>> deny-all
>>> default inbound policy and an allow-all default outbound policy.
>>> They allow
>>>
>>>
>>
>> With today's proliferation of Trojans and Spyware, anyone with a
>> Windows user population above three who has an allow-all default
>> outbound
>> policy is an idiot and populations of one to three are likely
>> candidates
>> for the club if not associate members.
>>
>>
>
> To give you an idea of how bad this problem is, I recently did a
> fresh install of Microsoft Windows XP + Service pack 2 (I hadn't
> caught up with all of the patches yet) and experimented with
> surfing the Internet like a normal user - default security settings
> for Internet Exploder.
>
> Half a dozen web sites later - no more - and spyware had installed
> itself into winlogin. Removal? Safest bet will be a format. How did
> it get there? I suspect some popup ad with nasty javascript/activex.
>
> Now what percentage of the Internet population does this represent?
>
> Port 80/443 restrictions mean nothing.
>
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 2
Date: Tue, 27 Nov 2007 13:05:35 -0500
From: "Mike Chapple" <mchapple@nd.edu>
Subject: [fw-wiz] Firewall Administration Survey
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <04d201c83120$1c0eddf0$542c99d0$@edu>
Content-Type: text/plain; charset="us-ascii"

Dear Colleague,

Would you please consider taking a few minutes to participate in a survey of

firewall administration practices?

We are conducting this survey as part of an academic research project
designed to analyze the frequency of firewall configuration errors and
identify potential causes for those errors. The results will contribute to
a research paper we are submitting for publication in a peer-reviewed
academic forum. We will maintain strict anonymity of any data you provide
during the survey.

The survey is available at:

http://www.nd.edu/~mchapple/survey/

The target audience for the survey is anyone involved in the administration
of a firewall rulebase in a production environment. If you know of others
that may be suitable participants, please forward this invitation along to
them.

At the conclusion of the research study, we will be happy to share the
results with any interested participants.

Thank you in advance for your time.

Mike Chapple

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071127/61ecb123/attachment-0001.html


------------------------------

Message: 3
Date: Wed, 28 Nov 2007 10:30:04 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <001901c831d3$8d02a380$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"

> With today's proliferation of Trojans and Spyware, anyone with a Windows
user population above
> three who has an allow-all default outbound policy is an idiot and
populations of one to three
> are likely candidates for the club if not associate members.

Sure, but as you and I both know, it's still a very common, if not the
predominant firewall policy in the business world. And aside from
Cisco/Linux nerds like us that roll our own at home, every home setup with a
firewall is configured like this.

PaulM

------------------------------

Message: 4
Date: Wed, 28 Nov 2007 17:34:00 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0711281729400.6334-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Wed, 28 Nov 2007, Paul Melson wrote:

> > With today's proliferation of Trojans and Spyware, anyone with a Windows
> user population above
> > three who has an allow-all default outbound policy is an idiot and
> populations of one to three
> > are likely candidates for the club if not associate members.
>
> Sure, but as you and I both know, it's still a very common, if not the
> predominant firewall policy in the business world. And aside from
> Cisco/Linux nerds like us that roll our own at home, every home setup with a
> firewall is configured like this.

Unprotected inter-personal physical interaction is popular in African
countries with high AIDS rates too- that doesn't make it a good thing.

While I make a good bit of income from disinfecting systems, it's not how
I'd like to spend my time (though I'm happy to do it!) Anyway, it's not
really a "firewall policy" in any sense other than implementation- it's a
default configuration that shouldn't exist- but vendors would rather make
connectivity easy than make security or risk a known issue.

In any case, we need to (in a big way) repeat the "You're being stupid"
message when it's appropriate.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 5
Date: Tue, 27 Nov 2007 22:17:43 -0600
From: "J. Oquendo" <sil@infiltrated.net>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20071128041743.GA95530@infiltrated.net>
Content-Type: text/plain; charset=us-ascii

Tina Bird wrote:

> i firmly believe that the firewall an admin finds easiest will always be the
> first one she used, like most other apps and tools. i'm therefore grateful
> that i picked a system that did thing like provide daily reports *out of the
> box* on traffic levels, top ten dests, and that sort of thing. that let me
> easily verify that the traffic going through the firewall agreed with what i
> had configured in the policy.

You mean the marketing PR didn't woo you with free lunches, caps, mousepads,
etc., into making you understand how their parallel vector enhanced,
multi-versed, dual-homing, deep distributed packet defibrulator is the best
thing since Ramen Noodles? Best gizmo I ever got from a vendor was a pro
lock picking set.

> discovered that checkpoint and the like **allowed network connections
> directly between the internal and the untrusted networks** after a few rules
> were applied. THEY MISSED THE WHOLE POINT!

A firewall nowadays as far as I can tell (right now I'm only playing with
Netscreen, Checkpoint, Pix, Stonegate, Sonicwall) is only as good as any
admin behind it. The rest is all fluff. Nothing I can't do with out of the
box downloads from any BSD or Linux site with some tweaking to make it look
pretty if one were to really get down to the nitty gritty.

On the flip side of this whole argument right here... Coming from an attack
vector, I've pretty much shut down (local and remotely) three of the five
firewalls I mentioned with a DoS tool I wrote that is being looked at by 2
of the five mentioned. Isn't that ironic... Here they are protecting, yet
here they are all vulnerable at the bottom of it all. I cannot, will not
post any coding probably ever because I do not believe there are fixes
(legacy TCP thing I believe). PSIRT has tinkered with it for the past 60+
days without a resolution. The other vendor solely sent a generic "eye eye
Spock we will look at it!" but my guess is they'd rather spend money on
inviting us all to continental breakfast and a movie (hey you got that
too!)

To be fair to firewall vendors about this attack though, it pretty much
shuts down anything connected period, from a DSL --> DS3 goodbye. So I
guess it would be fair to state that as opposed to seeming as if I'm
pointing a finger at the entire firewall industry.

> i've never understood how *marketing* could obfuscate that *simple* fact --

Never underestimate the power of marketing.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

echo c2lsQGluZmlsdHJhdGVkLm5ldAo=|\
python -c "import sys; print sys.stdin.read().decode('base64')"

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

------------------------------

Message: 6
Date: Wed, 28 Nov 2007 14:46:53 -0800
From: Darren Reed <Darren.Reed@Sun.COM>
Subject: Re: [fw-wiz] Firewalls that generate new packets..
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <474DEFDD.1000008@Sun.COM>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1

Patrick M. Hausen wrote:

>Hi!
>
>On Tue, Nov 27, 2007 at 09:18:20PM -0800, Darren Reed wrote:
>
>
>>>State tables allow your firewall to have a deny-all
>>>default inbound policy and an allow-all default outbound policy. They allow
>>>you to assume that the Internet cannot be trusted and that your internal
>>>network can be.
>>>
>>>
>>I don't see how this is any different to any other firewall.
>>
>>
>
>Strict proxy firewalls cannot implement an "allow all outbound" policy.
>
>

I'm sure I could make one do it.

Or I could build one that does:
- use IPFilter's rdr NAT rules to send all incoming TCP connections
to a single socket;
- write a daemon that listens to that single socket and makes the
outbound connection, faithfully copying data in both directions.
= voila! Non-routing based proxy firewall that allows through all
TCP connections. UDP is a bit more tricky but nonetheless doable.

>And all the "proxy by design but packet filters as an addon" products,
>I have seen so far, ship with only proxy rules enabled in their
>default configuration.
>
>So they are less convenient for a certain class of users and some
>applications "do not work" out of the box. Which is the point of
>the firewall. Which is a point a certain class of users does not get.
>
>

So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.

Darren

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 19, Issue 33
************************************************

No comments:

Post a Comment